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ABSTRACT 


The  Navy  Regional  Data  Automation  Centers  (NARDACs) 
became  a  Navy  Industrial  Fund  (NIF)  activity  on  1  October 
1983.  This  change  requires  that  NARDACs  bill  customers  for 
all  data  processing  (DP)  services  provided.  The  impact  of 
the  change  to  NIF  accounting  on  the  evaluation  of  management 
performance  is  addressed  within  the  context  of  the  defined 
control  structure.  The  purpose  of  this  thesis  is  to  present 
background  inf  or  maticn  on  the  NIF  concept,  NARDACs,  and 
operational  audits,  and  to  provide  general  recommendations 
for  the  design  and  application  of  operational  auditing  for  a 
NARDAC.  It  is  also  to  discuss  benefits  to  be  derived  by 
managers  of  a  NARDAC  examined  by  an  operational  audit.  A 
guide  for  performing  an  operational  audit  of  a  NARDAC  is 
outlined. 
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I.  IM IBOD3CTION 


A.  GEIEBA1 

In  an  attempt  to  understand  the  environment  in  which  the 
Navy  Regional  Data  Automation  Centers  (NABDACs)  operate,  it 
is  essential  to  examine  the  fundamentals  of  the  business  of 
managing  information  services  in  general.  This  requires 
taking  a  wider  view  of  computers,  information  resources 
management,  and  the  events  that  led  to  the  formation  of  the 
Naval  Data  Automation  Command  (NAVDAC)  .  A  review  of  the 
factors  leading  to  the  establishment  of  NAVDAC  as  a  Navy 
Industrial  Fund  (NIF)  activity  is  also  necessary. 

The  Navy  Begional  Data  Automation  Centers  (NABDACs)  can 
be  likened  to  an  information  services  department  in  a  large 
business  corporation.  NABDACs  are  information  processing 
centers  operating  under  the  central  management  of  the  Naval 
Data  Automation  Command.  They  exist  to  provide  high 
guality,  low  cost,  ncn-tactical  data  processing  services  to 
operational  customers  in  regions  of  extensive  Navy  activity. 
Each  NABCAC  is  a  support  organization  dedicated  to  improving 
the  guality  of  computer  support  available  to  Navy  activities 
in  its  region.  Automated  data  processing  (ADP)  services 
offered  by  the  NABDACs  range  from  one-time  technical  consul¬ 
tations  to  full  responsibility  for  processing  applications 
on  a  scheduled  production  basis.  Clients  negotiate  as 
requirements  arise  for  the  level  of  support  needed.  Thus, 
the  extensive  literature  dealing  with  corporate  information 
services  management  is  applicable  to  NABDACs. 


B.  COHPUTEBS — A  HISICBICAL  PEBSPECTI7E 


Managing  information  resources  has  become  a  task  or 
overwhelming  size  and  complexity.  Technological,  social, 
cultural,  and  political  issues  interact  with  one  another 
making  it  increasingly  difficult  to  distinguish  which  issue 
is  important  and  which  is  not.  let  making  these  distinc¬ 
tions  is  essential  tc  any  organization  with  a  large  invest¬ 
ment  in  information  resources — people,  machines,  and 
technologies. 

Unit  costs  of  hardware  continue  to  decline  [Bef.  1j. 
Because  computer  needs  continue  to  rise,  total  hardware 
costs  continue  to  rise.  Purchased  software  costs  are  rising 
slightly  and  people  costs  are  rising  at  an  ever  increasing 
rate.  These  economic  trends  affect  both  the  manager  and 
users*  perception  of  system  efficiency. 

Over  the  past  thirty  years,  the  rapid  evolution  and 
spread  of  computers,  telecommunications,  and  office  automa¬ 
tion  has  created  a  major  new  set  of  managerial  changes. 
Attempts  to  resolve  these  challenges  has  resulted  in  the 
creation  cf  new  departments,  massive  recruiting  of  staff, 
major  investments  in  computer  hardware  and  software,  mecha¬ 
nization  of  routine  tasks — inventory,  payroll  and  accounts 
receivables — and  installation  of  systems  which  have  had  a 
profound  impact  on  hew  the  organization  operates. 

Managing  these  challenges  is  complex  because  far  too 
many  members  of  the  computer  professional  community  received 
both  their  education  and  early  work  experience  in  a  time 
prior  to  the  wide-scale  introduction  of  computer  technology. 
The  cultural  impact  has  resulted  in  managers  who  feel 
somewhat  uneasy  about  the  subject  and  lack  confidence  that 
they  have  the  appropriate  background  to  provide  managerial 
oversight.  Their  firsthand  technical  experience  was  with 
technologies  vastly  different  from  those  of  the  1930s. 
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In  the  early  1960s,  the  computing  business  began  to  look 
so  different  because  of  software  development  and  stored 
programming.  Only  a  small  percentage  of  the  professionals 
managed  the  transition  to  that  new  and  totally  different 
information  management  culture.  Understanding  the  program¬ 
ming  challenges  of  the  rotational  delay  of  the  drum  of 
machines  in  that  era,  however,  provides  no  value  in  dealing 
with  the  challenges  posed  by  today's  sophisticated  computer 
operating  systems.  £fief .  2  ] 

Moreover,  understanding  of  what  makes  acceptable  manage¬ 
ment  practice  in  this  field  has  changed  dramatically  since 
the  early  1970s.  Virtually  all  major,  currently  acceptable 
frameworks  for  thinking  about  how  to  manage  in  this  field 
have  been  developed  since  then.  Consequently,  a  special 
burden  has  been  placed  on  information  systems  management, 
not  just  to  meet  day-to-day  operating  problems  and  new  tech¬ 
nologies,  but  to  assimilate  and  implement  quite  different 
ways  of  maraging  the  activity.  If  not  committed  to  a 
process  of  self-renewal,  occupational  obsolescence  very 
quickly  results. 

C.  CHALLENGE  OF  IMFGBHATIO N  SERVICES  MAHAGEMEHT 

It  wculd  be  a  serious  mistake,  of  course,  to  consider 
the  problems  of  computer  systems  management  as  being  totally 
unique  and  separate  from  those  of  general  management.  Ihe 
various  elements  of  the  data  processing  function  require  a 
high  level  of  continuing  communications  and  cohesive  inter¬ 
relationships  to  ensure  adequate  planning,  development,  and 
implementation  of  complex  systems.  The  issues  of  informa¬ 
tion  services  organization,  planning,  control,  strategy 
formulation,  budgeting,  transfer  pricing,  profit  centers, 
cost  centers,  and  sc  forth,  are  relevant  here.  The  indi¬ 
vidual  aspects  of  computer  management  problems  thus  are  not 


unique.  What  is  unique  is  the  combination  of  these  issues 
in  running  an  efficient  and  evolving  function. 

Because  of  this  combinaton  of  issues,  data  processing  is 
unlike  any  other  activity  vithin  an  organization.  It 
combines  a  highly  technical  skill  level  with  creativity.  It 
requires  a  broad  management  outlook  in  its  design  stages, 
but  an  extremely  detailed  outlook  in  its  implementation 
stages.  Its  managers  must  be  concerned  about  the  iipact  of 
their  work  cn  overall  policy,  procedure,  and  organization 
structure,  while  still  maintaining  an  interest  in  individual 
data  fields.  It  is  a  service  function,  yet  it  significantly 
influences  the  procedures  of  those  it  serves.  It  may  be 
organizationally  placed  as  one  function,  yet  must  maintain 
an  objectivity  in  meeting  the  needs  of  functions  crossing 
many  organizational  lines.  To  accomplish  its  job,  its 
managers  must  have  a  line  manager's  knowledge  of  other  func¬ 
tions  within  the  company  and  still  maintain  a  staff  advisory 
outlock. 

Each  of  these  facets  places  a  special  burden  on  the 
selection  of  the  appropriate  information  systems  organiza¬ 
tional  structure.  Data  processing  management  must  be 
continually  alert  to  the  fact  that  today's  appropriate  orga¬ 
nization  structure  may  not  meet  tomorrow's  conditions  or 
needs.  Organization  structure  seldom  remains  static,  and 
should  be  modified  tc  meet  changing  conditions  of  assigned 
responsibilities,  service  role,  and  growth. 

D.  NAVAI  DATA  AUTOHATION  COHHAND  (NAVDAC) 

This  section  provides  a  brief  look  at  the  Naval  Data 
Automation  Command  (NAVDAC)  organization,  its  mission  and 
the  field  activities  under  NAVDAC.  NAVDAC,  and  the  NAEDACs 
and  NAVDAFs,  were  formed  as  the  result  of  the  "Navy 
Automatic  Data  Processing  (ADP)  Reorganization  Study 


Implementation  Plan"  of  October,  1976.  The  reorganization 
was  in  response  to  the  major  ADP  problems  brought  to  light 
by  a  General  Accounting  Office  (GAO)  report  that  was  crit¬ 
ical  of  Navy  ADP.  In  October  1977,  NAVDAC  became 
operational.  The  mission  of  the  NAVDAC  is  to  administer  and 
coordinate  the  Navy  non-tactical  ADP  program.  This  respon¬ 
sibility  includes  collaboration  of  ADP  matters  with  all  Navy 
AD?  claimants;  development  of  policy  and  procedures; 
approval  of  systems  development,  acguisition  and  utilization 
of  ADP  equipment  and  service  contracts;  sponsoring  of  ADP 
technology;  and  career  development  and  training  of  ADP 
personnel.  NAVDAC  consists  of  a  headquarters  staff  located 
in  the  Washington  Navy  Yard  and  field  activities  situated 
throughout  the  country  in  areas  of  high  concentration  of 
Naval  activities.  Figure  1.1  displays  a  diagram  of  the 
NAVDAC  organization.  These  field  activities  are  called 
NABDACs  and  Navy  Data  Automation  Facilities  (NAVDAFs) . 

Each  NABDAC  established  under  the  NAVDAC  was  formed  from 
existing  facilities  and  operations  in  a  particular  geograph¬ 
ical  area.  The  seven  NARDACs  are  located  in  Washington, 

D.  C.,  Norfolk,  Virginia,  Jacksonville  and  Pensacola, 
Florida,  San  Francisco  and  San  Diego,  California  and  New 
Orleans,  Louisiana.  Each  activity  is  designed  to  provide  a 
full  range  of  data  processing  services  to  their  assigned 
geographic  area.  A  standard  NABDAC  organization  is  depicted 
in  Figure  1.2.  Each  center,  however,  may  have  specialized 
units  to  meet  special  requirements.  The  goal  was  to  provide 
the  Navy  with  "centers  of  excellence"  that  would  provide 
data  processing  services,  programming  support,  technical 
expertise,  trouble  shooting,  telecommunicatons  networking, 
distributed  processing,  and  other  ADP  related  services. 
[Ref.  3] 

The  NABDACs  becaie  Navy  Industrial  Funded  (NIF)  activi¬ 
ties  on  1  October  1983.  This  requires  that  NABDACs  bill 


Figure  1.1  NATO  AC  Organization  Chart 


ORGANIZATION  STRUCTURE 
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customers  for  services  provided.  The  problem  begat  on 
February  7 ,  1978,  with  the  delivery  of  a  report  by  tne 
General  Accounting  Office  (GAO)  to  the  Congress  entitled 
"Accounting  for  Automatic  Data  Processing  Costs  Meeds 
Improvemrnts"  [Bef.  4].  After  studying  the  cost  accounting 
practices  c£  twenty  six  federal  organizatons,  the  GAO 
concluded  that  all  were  using  inadequate  accounting  methods. 
The  report  stated  that  without  accurate  costs,  computer 
center  managers  may  choose  uneconomical  alternatives  when 
replacing  or  adding  to  computer  facilities.  They  may  also 
fail  to  charge  users  of  computer  facilities  equitable 
amounts  for  services  rendered.  Further,  functional  managers 
cannot  make  the  best  decisions  when  they  are  not  aware  of 
the  total  cost  of  implementing  and  operating  their  applica¬ 
tions  systems.  GAC  stated  that  cost  records  should  be 
structured  so  that  costs  for  both  data  processing  and  the 
agencies'  programs  can  be  identified.  The  report  concluded 
that  the  mission  funded  concept  was  not  adequate  for  the 
cost  accounting  necessary  for  computer  operations 

The  strongest  point  made  in  the  GAO  report  was  that  the 
cost  of  computer  services  as  reported  by  federal  agencies 
often  excluded  major  items  of  costs,  such  as  military  labor 
and  overhead.  Computer  services  cost  had  traditionally  been 
stated  in  terms  of  Operations  and  Maintenance,  Navy  (CSMN) 
costs,  since  these  costs  were  the  only  costs  billable  to  the 
customer  under  the  Resources  Management  System  (RMS) .  The 
report  indicated  that  an  accounting  system  was  necessary 
that  would  reflect  the  true  cost  of  providing  the  computer 
services.  [Ref.  5] 

The  GAO  issued  guidelines  for  accounting  for  AEP  costs 
which  state  that  "all  significant  elements  of  cost  directly 
related  to  acquiring  computers  and  associated  assets  and  to 
performing  data  processing  functions  should  be  collected  and 
accounted  for  in  ways  useful  for  management,  budgeting,  and 
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external  reporting.  Organizational  boundaries  and  differ¬ 
ences  in  financing  methods  should  not  prevent  reasonable 
coapilation  of  all  A£P-related  expenses  in  cost  accounts." 
The  categories  cf  cost  reguired  for  full  cost  accounting 
are:  [Bef.  6] 


1.  Personnel.  Salaries  and  fringe  benefits  for 

civilian  and  military  personnel  who  perform  and 
manage  ADP  functions:  ADP-related  custodial 

services,  security,  building  maintenance,  and 
contract  management. 

2.  Equipment.  Nonrecurring  expenditures  for  acquisi¬ 
tion  and  recurring  costs  for  rental,  leasing,  and 
depreciation  of  computers  and  associated  on-line  and 
off-line  A  OP  equipment. 

3.  Computer . Software.  Nonrecurring  expenditures  for 
acquisition,  and  conversion  and  recurring  expenses 
for  rental,  leasing,  and  depreciation  of  all  types 
cf  software — operating,  multipurpose,  and  applica¬ 
tion. 

4.  Space  Occupancy.  Funded  and  unfunded  costs  for  : 
(a)  rental,  lease,  and  depreciation  of  buildings  and 
general  office  furniture;  j[b)  buildings  maintenance; 
(c)  regular  telephone  service  and  utilities;  and  (d) 
custodial  services  and  security. 

5.  Supplies.  Expenditures  for  noncapital  office 
supplies  and  general-purpose  and  special-purpose 
aata  processing  materials. 

6.  Intra-agency  Services  and  Overhead.  The  costs  of 
normal  agency  support  services  and  overhead,  either 
billed  or  allocated,  and  the  costs  of  central 
management,  policy,  and  procurement  services. 

7.  Contracted  Services.  Any  of  the  above  services  if 
procured  contractually. 


In  response  to  both  the  GAO  report  and  a  congressional 
study  conducted  by  the  House  Appropriations  Committeefs 
(HAC)  Survey  and  Investigation  Staff,  the  Navy  recommended 
the  addition  of  the  NARDACs  to  the  Navy  Industrial  Fund  as 
part  of  Fiscal  Year  1984  Navy  input  to  the  President's 
Budget. 


u-  m  mi  ujusxmi  ms 


A.  BACKGROUND 

The  Navy  Industrial  Fund  (NIF)  vas  established  as  a 
means  of  helping  certain  Navy  activities  to  function  mere 
efficiently  and  in  a  business-like  manner.  The  reasoning 
behind  the  establishment  of  the  Industrial  Fund  was  that 
commercial/industrial  type  of  activities  that  are  qualified 
to  operate  under  NIF  could  be  freed  from  many  of  the  worries 
arising  from  the  total  dependence  on  the  cycle  of  annual 
appropriations  (authorizations  from  Congress  to  set  aside 
certain  funds  for  specific  purposes  for  limited  time 
periods) .  For  this  reason,  the  Navy  Industrial  Fund 
Appropriation  was  established  by  Congress.  The  NIF 

Appropriation  has  indefinite  life  from  which  qualified 
commercial/industrial  activities  can  be  given  working 
capital  (cash)  to  operate  on  a  revolving  fund  basis  similar 
to  private  enterprise.  [Bef.  7] 

The  term  ’’revolving  fund"  means  that  working  capital 
(called  NIF  corpus)  is  used  to  finance  operations  from 
the  time  that  specific  work  is  begun  to  the  time  that 
payment  is  received  from  the  customer.  [Ref.  8] 

All  commercial/industrial  enterprises  need  working 
capital.  The  difference  between  private  industry  and 
government  is,  of  course,  the  profit  motive.  With  NIF,  the 
financial  goal  is  to  break  even.  This  means  the  NIF 
activity  should  charge  the  customer  the  same  prices  as  it 
costs  the  NIF  activity  to  do  the  work.  The  NIF  fund 

"revolves"  in  that  payment  received  from  the  customers 
replenishes  the  working  capital  fund  which  is  continually 
used  to  finance  operations.  The  attempt  to  break  even 


requires  rigorous  control  of  costs,  and  projection  of 
billing  rates,  because  if  NIF  has  cost  overruns,  it  incurs 
losses  (not  just  making  a  little  less  profit  as  is  the  case 
of  private  industry).  £Ref.  9} 

The  Navy  operates  5 1  activities  under  the  Navy 
Industrial  Fund.  Figure  2.  1  is  a  listing  of  the  various  NIF 
Activity  Groups,  and  relative  volume  of  customer  orders  as 


NIF  ACTIVITY  GROUP  STRUCTURE 


Activity  Group 


Number  of 
Activities 


FY  1984 
Budget 
SMillicns 


Navy  Research  Lab 
Military  Sealift  Command 
Shipyards 

Ordnance  Facilities 
Air  Rework  Facilities 
Air  Labs 

Air  Engineering  Center 
Aviation  Center 
Public  Works  Centers 
Construction  Engineering  Lab 
Publications  ang  Printing  Service 
Missile  Facilities 
Navy  Research  Labs 
Regional  Data  Automation  Centers 


1 

1 

8 

10 

6 


3 

1 

1 

8 

1 

1 

2 

7 

1 


$  324 

2,334 
3,557 
1,328 
1,536 
647 
142 
155 
967 
41 
187 
64 
2,039 
157 


Totals 


5T 
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Figure  2.1  HIP  Activity  Group  Structure. 


budgeted  for  Fiscal  Year  (FY)  1984.  The  Navy  Regional  Data 
Automation  Centers  (NARDACs)  are  operating  as  a  single 
member  activity  group  under  the  NIF  for  the  first  time, 
beginning  FY  1984,  in  keeping  with  the  Congressional  intent 
of  the  FY  1982  DCD  Appropriation  Act.  [Ref.  10] 

The  activity  groups  are  organizationally  controlled  by 
and  responsible  to  Activity  Group  commanders  such  as  Naval 
Sea  Systems  Command  (NAVSEA)  for  ail  shipyards  and  Naval 
Data  Automation  Command  (NAVDAC)  for  all  NARDACS.  Overall 


NIF  management  is  the  responsibility  of  the  Comptroller  of 
the  Navy  (NAVCOrtPT)  who  must  cot  over  obligate  the  corpus  as 
a  whole. 

The  specific  directive  under  which  Industrial  Funds  have 
been  implemented  within  the  Department  of  Defense  is  DOD 
Directive  7410.4. 


The  Navy  Industrial  Fund  is  a  one-time  appropriation  of 
working  capital  provided  by  Congress  from  which  the 
Comptroller  of  the  Navy  allocates  reguired  amounts  to 
activities  approved  for  operations  under  the  Navy 
Industrial  Fund.  £Bef.  11] 


This  appropriation  was  established  in  1949.  The  corre¬ 
sponding  NIF  Accounting  System,  rather  than  the  appropria¬ 
tion  itself,  is  usually  referred  to  as  "NIF".  The 
££A£l££li££  ISlUIS  3,  Copter  3,  entitled  "Navy 
Industrial  Fund"  is  the  Navy  implementation  of  DOD  directive 
7410.4. 

The  inception  of  the  Navy  Industrial  Fund  with  applica¬ 
tion  of  modern  business  methods  was  widely  heralded  by  the 
public  as  an  effcrt  cn  the  pact  of  the  military  to  end  inef¬ 
ficiency  and  waste,  to  create  cost  consciousness  at  all 
levels,  and  to  reflect  tangible  savings  as  the  result  of 
sound  financial  management. 

The  Comptroller  cf  the  Navy,  in  reporting  on  the  effect 
of  industrial  funding,  stated: 


"ft  should  be  re-emphasized  that  the  installation  of  NIF 
financing  and  its  related  "custom-built*  budgeting, 
accounting,  and  reporting  system  at  an  industrial-type 
or  commercial- type  field  activity,  of  itself  does  not 
assure  an  efficient  and  economical  operation.  Many 
potent  management  tools  are  inherent  in  these  Nil 
systems,  however,  especially  in  the  cost  control  and 
finazcial  control  areas;  and  the  proper  use  of  these 
tools  should  materially  assist  in  the  effective  manage¬ 
ment  of  industrial-commercial  type  activities." 
£  Bef •  12]  1 


An  important  aspect  of  the  NIF  System  is  the  concept  of 
a  revolving  fund  and  its  inherent  flexibility.  The  fund  is 
used  as  operationally  required  to  finance  work  for  customers 
on  a  self-sustaining  basis.  The  Industrial  Fund  Activity 
takes  orders  for  work  from  Navy  customers,  performs  the  work 
with  dollars  from  the  fund,  bills  the  customers  for  the 
work,  and  receives  reimbursement  from  the  customers.  The 
fund  is  reimbursed  fcr  supplies  and  materials  used,  services 
rendered,  or  labor  performed  by  charges  to  applicable 
customer  appropriations  or  payments  received  in  cash. 
Consequently,  the  NIF  provides  the  following  advantages: 


1.  A  modern  business-type  budgeting  and  accounting 
system  permitting  "tailor-made  adaptations. 

2.  A  basic  accounting  system  that  has  been  stable  for 
years  and  premises  to  continue  relatively  unchanged 
^especially  important  in  this  age  of  automation). 

3.  Authority,  though  limited,  to  start  emergency  work 
on  a  sponsor’s  order  prior  to  receipt  of  funds 
(Commanding  Officer's  orders). 

4.  A  means  of,  financing  and  carrying  inventories  of 
non-standard  material. 

5.  The  convenience  of  using  working  capital  for 
initially  charging  all  costs. 

6.  A  method  for  developing  total  costs  of  each  task  or 
project,  including  overhead. 

7.  A  means  for  producing  management  cpst  data  by  job 
orders,  cost  centers,  or  other  organizational  break¬ 
downs. 

8.  Assistance  for  management  to  better  control  money, 
manpower,  material,  and  facility  resources. 


Figure  2.2  is  a  list  of  all  NIF  activity  groups  and 
activity  group  managers. 

Basic  to  the  functioning  of  NIF  activities  is  the  divi¬ 
sion  of  effort  into  functional  units  called  cost  centers. 
Under  the  cost  center  concept,  any  level  of  the  orgainza- 
tional  structure  might  be  a  cost  center.  It  could  be  an 
entire  department  or  a  subdivision  of  one. 


GROOP 

R  6  D  Centers 
Shipyards 

Ordnance  Activities 
Air  Rework  Facilities 
Test  and  Eval.  Activities 
Public  Work  Centers 
Civil  Engineering  lab 
Navy  Printing  &  Pubs. 
Strategic  Weapons  Fac. 
NARDACS 


MANAGER 

Chief  of  Naval  Material 
Naval  Sea  Systems  Command 
Naval  Sea  Systems  Command 
Naval  Air  Systems  Command 
Chief  of  Naval  Material 
Naval  Fac.  Eng.  Command 
Naval  Fac.  Eng.  Command 
Navy  Supply  Systems  Command 
Strategic  Sys.  Prog.  Command 
Naval  Data  Automation  Command 


Figure  2.2  Activity  Group  Managers. 

All  crders  are  accepted  on  the  basis  of  a  fixed  price  or 
on  a  cost  reimbursable  basis.  In  either  case,  the  estimated 
costs  are  based  upon  the  published  stabilized  rates 
pertaining  to  the  product  or  service  ordered.  These  stabi¬ 
lized  rates  are  based  upon  budgeted  costs.  Customers  are 
billed  at  the  stabilized  rate  regardless  of  the  actual  cost. 
Non  federal  government  customers  are  exempt  from  the  rate 
stabilization  program  and  are  charged  actual  costs  incurred. 
Fixed  price  orders  are  negotiated  and  billed  on  the  basis  of 
stabilized  rates.  When  actual  costs  are  less  than  the 
billed  price,  the  activity  makes  a  profit.  A  less  occurs 
when  actual  costs  are  more  than  the  billed  price. 

NIF  activities  submit  their  budget  (A- 11  Budget) 
directly  to  NAVCGMPT  into  the  Navy  Industrial  Funs  Reporting 
Systsem  (NIFRS) .  NAVCOMPT  operates  the  NIFRS  and  maintains 
a  budget  data  base  for  use  by  the  NIF  Activity  Group 
Managers  and  for  Department  of  the  Navy  (DON)  NIF  budgets 
and  reports.  The  NIFRS  also  captures  individual  NIF  activ- 
ityl  loathly  reports,  summarizes  the  data  by  NIF  Activity 
Group  and  prepares  the  monthly  reports  for  DON.  It  allows 
evaluation  of  NIF  activities  performance  in  comparison  to 
the  budget. 


i 


i 
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B.  BITE  STABILIZATION 


Prior  to  the  i iple mentation  of  the  rate  stabilization 
program,  most  NIF  activities  developed  and  revised  the  rates 
charged  to  customers  on  a  quarterly  basis.  The  rates  were 
devised  to  return  to  customers  any  profits  previously  made 
ty  the  NIF  activity  cx  to  recover  any  losses  with  the  objec¬ 
tive  of  achieving  a  zero  accumulated  operating  results 
account  balance  at  the  end  of  the  following  quarter.  Under 
the  rate  stabilization  concept,  however,  rates  to  be  charged 
for  services  by  NIF  activities  are  based  upon  the 
President's  Budget.  Thus,  for  example,  during  the  summer 
and  fall  of  1982,  NIF  activities.  Activity  Group  Commanders, 
NAVCOMPT,  DOD  and  OMB  reviewed  and  submitted  budgets  for  FY 
1984  which  assumed  a  rate  egual  to  that  budgeted  for  FY  1984 
which  assumed  a  rate  equal  to  that  budgeted  for  FY  1984. 
Moreover,  these  rates  reflected  actual/projected  performance 
through  FY  1982  and  FY  1983  and  were  intended  to  achieve  a 
zero  accumulated  operating  results  balance  for  the  fiscal 
year  ending  in  1984. 

A  principal  objective  of  stabilized  rates  was  to  shelter 
DOD  customers  from  inflation  induced  variances  in  cost 
increases  in  excess  of  those  budgeted.  This  was  to  allow 
tetter  financial  planning  by  the  DOD  and  the  Navy. 
Industrial  fund  rate  increases  during  the  years  prior  to 
rate  stabilization  sometimes  made  it  necessary  for  customers 
to  reduce  their  programs  in  order  to  remain  within  their 
appropriated  fund  availability.  These  reductions,  in  turn, 
created  further  imbalances  within  the  NIF  activities  which 
ultimately  were  also  passed  on  to  customers. 

NAVCCMPT  Note  7111  of  10  June  1975  announced  to  Navy 
activities  the  DOD  requirements  for  the  establishment  of 
stabilized  rates,  and  target  dates  for  implementation  were 
set.  Stabilized  rates  have  been  in  effect  for  all  NIF 
activities  since  the  start  of  FY  1977. 


amplifying 


NAVC0MP1  Instruction  76  00.23B  provided 

guidance  as  follows: 


"In  developing  and  establishing  rates,  each  activity 
will  adhere  to  the  principle  of  aligning  rates  to 
recover  operating  costs.  activities  should  devise  a 
sufficient  number  cf  rates  to  ensure  that  the  rate 
system  is  a  reasonable  model  of  the  actual  cost  ox 
performing  the  various  categories  of  worx  or  services 
covered  by  the  rates.  Stabilized  rates  submitted  by  the 
activities  will  be  reviewed  and  adjusted  by  the  Activity 
Group  manager,  to  provide  the  necessary  changes  to 
offset  the  total  pr4.or  year  gains  or  losses  thereby 
achieving  zero  profit  and  loss  in  the  Accumulated 
Operating  Results  Account  of  the  Activity  Group.  Gains 
and  losses  will  normally  be  fully  offset  daring  the  year 
following  their  occurence.  and  will  be  reflected 
uniformly  in  the  rates  of  the  Activity  Group.  Changed 
conditions  resulting  from  the  Office  of  the  Secretary  of 
Defense  review  of  the  Activity  Group  manager's  A-11 
Budget,  and  changes  in  the  customer  programs  occuring 
during  the  budget  review  cycle  will  result  in  stabilized 
rates  being  again  reviewed  and  additional  changes  made 
where  appropriate."  [Ref.  13] 


Rates  established  for  NIF  activities  are  expected  to 
remain  in  effect  for  the  entire  fiscal  year.  Shipyard 
rates,  however,  are  normally  in  effect  for  the  entire  period 
that  a  ship  is  in  the  yard  regardless  of  the  number  of 
fiscal  years  involved.  Rates  for  work  unrelated  to  the  ship 
will  change  with  the  fiscal  year.  Rate  changes  during  the 
fiscal  year  are  expected  to  be  rare,  and  may  be  made  only 
upon  approval  of  the  Assistant  Secretary  of  Defense 
(Comptroller).  In  a  major  sense,  rate  stabilization  did 
help  the  Navy  tc  cope  with  the  radical  swing  in  inflation, 
utilities,  and  fuel  prices  during  Fiscal  Year  1978  through 
Fiscal  Year  1981. 

A  significant  picblem  associated  with  stabilization  is 
the  failure  of  the  process  to  make  known  the  stabilized 
rates  to  the  customers  early  enough  to  be  useful  in  budget 
preparation  at  the  local  level.  The  process  of  attempting 
to  balance  the  customer  budget  requests  with  the  NIF  funding 
in  the  President's  Eudget  is  done  by  NAVCOMPT,  a  level 
considerably  higher  than  local  customer  budgeting,  causing 
imbalances  that  are  not  discovered  until  a  year  later. 
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Any  variance  between  stabilized-rate  billing  and  actual 
costs  become  profits  or  losses  of  the  NIF  activity  and  are 
absorbed  by  the  corpus.  By  the  time  a  profit  or  loss  is 
realized,  however,  the  next  year's  rates  are  already  estab¬ 
lished.  These  profits  or  losses  are  not  offset,  therefore, 
until  the  next  rates  are  set.  The  NIF  activity,  conse¬ 
quently,  essentially  operates  on  a  three-year  cycle. 

The  essence  of  rate  stabilization  is  that  rates  are  set 
annually  for  the  entire  fiscal  year.  The  combination  of 
rate  stabilization  and  NIF  budgeting  results  in  rates  being 
set  one  to  two  years  in  advance  of  actual  use  in  billing. 
The  rates  charged  represent  modifications  by  the  NIF 
Activity  Group  commander,  NAVCOMPT  and  the  Office  of  the 
Secretary  of  Defense  (OSD)  to  those  proposed  by  the  NIF 
activity.  As  a  consequence,  individual  NIF  activity 
commanders  do  not  directly  determine  rates  or  change  stabi¬ 
lized  rates  when  a  flaw  is  found.  Stabilization  has 
resulted  in  a  rather  substantial  loss  of  autonomy  by  NIF 
activities  because  they  are  no  longer  in  control  of  the 
inflow  of  resources  to  their  command  and  can  not  control  the 
profit  or  loss  for  a  particular  period.  The  cash  balance  is 
also  beyond  their  control.  In  spite  of  this  lack  of 
control,  the  performance  of  NIF  activity  commanders  has  been 
evaluated  with  the  financial  position  of  the  individual 
activity  as  a  factor.  It  seems  obvious  that  the  control 
system  was  weakened  by  rate  stabilization  and  the  loss  of 
autonomy  by  NIF  activities. 


» 


» 
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III.  HAVY  ACC OONTIfiG  PROCEDURES 


A.  HAVY  ACCOUHTIHG  AT  THE  BEADQUABTEBS  LEVEL 

Accounting  in  the  Federal  Government  provides  financial 
information  for  use  by  the  management  of  a  particular  agency 
and  for  use  by  the  Department  of  Treasury,  Office  of 
Management  and  Budget  (OMB)  ,  and  the  Congress.  Such  infor¬ 
mation  is  used  for  these  various  reasons: 

1.  Facilitate  efficient  management. 

2.  Support  budget  requests. 

3.  Shew  the  extent  of  compliance  with  legal  provisions. 

4.  Eeport  (in  financial  terms)  to  other  agencies,  tc 
the  Congress.  and  to  the  public,  the  status  and 
results  of  the  agencies  activities. 

The  forerunner  to  today’s  budget  and  accounting  system 
was  the  Budget  and  Accounting  Act  of  1921.  This  act 
provided  for  a  budget  system  under  the  Department  of 
Treasury.  (This  function  was  later  transferred  to  the 
Executive  Office  of  the  President.)  The  act  also  estab¬ 
lished  the  General  Accounting  Office  (GAO)  headed  by  the 
Comptroller  General  of  the  United  States.  The  Comptroller 
General  was  given  the  responsibility  for  developing  govern¬ 
ment  accounting  systems  and  was  also  given  authority  to  make 
expenditure  analyses;  maintain  ledger  accounts,  investigate 
the  receipt,  disbursement,  and  application  of  public  funds, 
examine  hooks,  documents,  papers,  and  records  of  financial 
transactions;  perform  audits,  etc.  Since  1921,  there  has 
been  a  continuing  attempt  made,  through  legislation  and 
executive  orders,  to  establish  effective  fiscal  control  over 
all  governmental  activities.  The  respective  headquarters 


components  maintain  control  o£  funds  allocated  to  them 

[fief.  14]. 

B.  WORKING  CAPITAL  POHDS 

In  1949,  when  Congress  amended  the  National  Security  Act 
of  1947  establishing  the  Department  of  Defense  (DOD)  ,  origi¬ 
nally  named  the  National  Military  Establishment,  the  need  to 
promote  "efficiency  and  economy"  through  use  of  uniform 
budgeting  and  fiscal  procedures  was  recognized.  Among  the 
features  of  the  Naticnal  Security  Act  was  authorization  (10 
0.  S.  C.  2208)  for  the  Secretary  of  Defense  to  establish 
working  capital  funds  for  the  purpose  of  financing  supply 
inventories  and  the  capitalization  of  industrial  type  activ¬ 
ities.  Thus  what  we  know  today  as  "industrial  funds" 
resulted  from  the  National  Security  Act  of  1947. 

A  fund  has  been  defined  as  a  "separate  enterprise, 
having  assets,  liabilities,  net  worth,  income  and  expendi¬ 
tures  of  its  own."  In  government  practice,  a  fund  is  not 
tied  tc  profit  making,  hence,  the  emphasis  is  not  on  maxi¬ 
mizing  income.  The  fund  is  used  to  isolate  a  particular 
area  and  allow  management  to  focus  on  it  as  an  entity. 

The  goal  of  a  DOD  working  capital  fund  is  to  recover  all 
costs  exactly-- work  to  a  zero  profit  [fief.  15].  A  working 
capital  fund  is  not  controlled  by  an  annual  appropriation. 

C.  BESGOBCE  MANAGEMENT  SYSTEMS  (SMS)  ACC00NTIHG 

1  •  Background  of  RMS 

The  Resource  Management  System  (RMS)  was  introduced 
to  the  Navy  through  a  Priority  Management  Effort  (Project 
PRIME)  in  Fiscal  Year  1968.  One  basic  change  was  to  reguire 
the  costing  of  military  personnel.  Another  major  change  was 
the  separation  of  procurement  costs  from  operating  ccsts. 


The  separation  of  expense  and  investment  costs  allow  a 
differentiation  between  those  costs  influenced  by  management 
and  these  over  which  there  is  little  control. 

In  operating  BUS  all  activities  are  charged  for 
operating  resources  consumed  by  them  at  the  time  of  consump¬ 
tion.  An  expense  is  recognized  when  and  where  materials, 
supplies,  services  or  labor  are  used  to  accomplish  a 
mission.  To  distinguish  between  the  time  of  purchase  of 
resources  and  the  time  of  consumption,  working  capital  is 
used  just  as  inventory  accounts  are  used  is  commercial  prac¬ 
tice.  BBS  changed  traditional  accounting  systems  to  improve 
and  integrate  accounting  and  reporting  with  programming  and 
budgeting. 

2 .  BMS  Accounting 

Eesource  Management  Systems  (RMS)  accounting 
includes  all  procedures  for  collecting  and  processing  recur¬ 
ring  quantitative  information  that  (1)  relates  to  resources, 
and  (2)  is  for  the  use  of  management.  Resources  are  people, 
materials,  services  and  money.  There  are  four  principal 
systeis: 

1.  Programming  and  budgeting 

2.  Management  of  resources  for  operations 

3.  Management  of  inventory  and  similar  assets 

4.  Management  of  acquisition,  use  and  disposition  of 
capxfal  assets 

The  Department  of  the  Navy  has  promulgated  a  series 
of  publications  for  implementation  of  the  Resource 
Management  Systems  for  operations  within  the  Navy.  A  hand¬ 
book  of  instructions  and  procedures  applicable  at  the  field 
activity  level  and  at  the  departmental  level  and  another  one 
for  the  operating  forces  have  been  developed  [Bef.  16]. 


IV.  SHE  MANAGEMENT  CONTROL  SYSTEM 


A.  I1TRCDUCTION 

The  information  services  (IS)  management  control  system 
is  a  critical  network  which  integrates  the  information 
systems  activities  with  the  rest  of  the  organizations  oper¬ 
ations.  Information  services  include  a  central  hub  of  oper¬ 
ations  linked  by  telecommunications  to  remote  devices  that 
may  or  may  not  have  their  own  extensive  data  files  and 
processing  power.  IS  integrates  the  separate  technologies 
of  computers  and  telecommunications.  While  individual 
projects  often  last  more  than  a  year,  and  planning  takes  a 
multiyear  view,  the  information  services  management  control 
system  focuses  on  guidance  primarily  on  a  year-to-year 
basis.  The  broad  objectives  an  effective  information 

services  management  control  system  must  meet  include  the 
following:  [Ref*  17] 


1.  Facilitate  appropriate  communication  between  the 
usep  and  deliverer  of  IS  services  and  provide  moti¬ 
vational  incentives  for  them  to  work  together  on  a 
day-tc-day,  mcnth-to-month  basis.  The  management 
control  system  must  encourage  users  and  IS  to  act  in 
the  best  interests  of  the  organization  as  a  whole. 
It  must  motivate  users  to  use  IS  resources  appropri¬ 
ately  and  help  them  balance  investments  in  this  area 
against  those  in  other  areas. 

2.  Encourage  the  effective  utilization  of  the  IS 
department's  resources.  and  ensure  that  users  are 
educated  on  the  poteptial  of  existing  and  evolving 
technology.  In  so  doing,  it  must  guide  the  transfer 
of  technology  consistent  with  strategic  needs. 

3.  It  must  provide  the  means  for  efficient  management 
of  IS  resources  and  give  necessary  information  for 
investment  decisions.  This  requires  development  of 
both  standards  of  performance  measures  and  the  means 
to  evaluate  performance  against  those  measures  to 
ensure  productivity  is  being  achieved.  It  should 
help  facilitate  maxe-or-buy  decisions. 
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Four  specific  inputs  appear  to  be  critical  to  the  struc¬ 
turing  of  an  appropriate  information  services  management 
control  system  for  an  organization.  These  are:  [Ref.  18] 


1.  The  control  system  must  be  adapted  to  a  very 

different  software  and  operations  technology  in  the 
1980s  than  vas  present  in  the  1970s.  An  important 
papt  of  this  adaptation  is  development  of  appro¬ 
priate  sensitivity  to  the  mix  of  phases  of  IS  tech¬ 
nologies  in  the  company.  The  more  mature 

technologies  must  be  managed  and  controlled  in  a 
tighter,  more  efficient  way  than  ones  in  an  early 
start-up  phase  which  need  protective  treatment 
appropriate  to  a  research  development  activity. 

2.  Specific  aspects  of  the  corporate  environment  influ¬ 
ence  the  appropriate  IS  Management  Control  System. 
Key  issues  here  include  IS  sophistication  of  users, 
geographic  dispersion  of  the  organization,  stability 
of  the  management  team,  the  firm's  overall  size  and 
structure,  nature  of  relationship  between  line  and 
§taff  departments,  etc.  These  items  influence  what 
is  workable. 

3.  The  general  architecture  of  the  organization's 
overall  corporate  management  control  system  and  the 
philosophy  underlying  it. 

4.  The  perceived  strategic  significance  of  IS  both  in 
relation  to  the  thrust  of  its  applications  portfolio 
and  the  role  played  by  currently  automated  systems. 


The  next  subsection  discusses  alternate  methods  of  defining 
the  control  structure. 


B.  AITEEHATE  COMTROI  APPROACHES 


The  establishment  of  an  information  services  activity  as 
an  unallocated  cost  center — a  free  resource  to  users--is 
advantageous  where  the  resource  being  used  is  small. 
Accounting  for  such  a  cost  center  requires  very  low  expendi¬ 
tures,  and  the  cont reverse y  caused  by  a  system  of  charging 
is  avoided.  On  the  other  hand,  significant  problems  usually 
exist  when  the  users  perceive  the  resource  as  free  and 
attempt  to  make  irresponsible  uses  of  it.  The  unallocated 
cost  center  also  insulates  the  computer  installation  from 


external  measures  ox  performance  and  makes  possible  the 
hiding  of  operational  inefficiencies.  Although  many  organi¬ 
zations  start  with  an  unallocated  cost  center  approach,  they 
often  evolve  to  some  other  form  such  as  the  approach  of 
using  memos  to  inform  users  of  what  their  charges  would  have 
been  if  a  chargeback  system  wexe  being  used.  Unfortunately, 
however,  a  memo  about  a  charge  does  not  have  the  bite  of  the 
actual  assignment  of  the  charge,  [fief.  19] 

The  approach  of  establishing  the  information  services 
activity  as  an  allocated  cost  center  has  the  immediate 
virtue  of  helping  to  make  user  reguests  more  realistic. 
Shile  it  opens  up  a  debate  as  to  what  cost  is,  it  avoids  the 
controversey  about  whether  an  internal  service  department 
should  be  perceived  as  a  profit-making  entity.  Inevitably, 
however,  the  allocated  cost  center  introduces  a  series  of 
complexities  and  frictions  since  such  a  system  necessarily 
has  arbitrary  elements  in  it.  Full  cost  charges  of  a 
central  computer  installation  can  inappropriately  stimulate 
the  desires  of  the  users  to  purchase  mini/microcomputers. 
Allocations  could  be  less  than  full  cost,  depending  cn  the 
organization's  overall  management  control  philosophy, 
[fief.  20] 

The  chargeback  process  has  led  to  a  number  of  unsatis¬ 
factory  consequences  from  the  users'  perspective  in  the 
majority  of  companies: 

1.  Charges  are  unintelligible  and  unpredictable. 

2.  Charges  are  highly  unstable. 

3.  Charges  tend  to  be  artificially  high  in  relation  to 
incremental  costs 

4.  Efficiency  variables  are  directly  assigned  to  ulti¬ 
mate  users. 

5.  Administration  of  the  chargeback  system  is 
frequently  very  expensive. 
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The  system  is  based  cn  passing  all  costs  of  the  activity  to 
customers.  The  charge  for  operations  costs  is  based  on  a 
complex  formula  related  to  the  use  of  tne  computer  by  the 
application.  The  user  can  not  predict  or  control  these 
charges  because  the  "equitable  distribution"  is  dependent 
upon  what  other  applications  happen  to  be  run  during  the 
month.  To  be  effective,  an  information  systems  operations 
chargeback  system  must  be  simple.  &  second  desirable  char¬ 
acteristic  is  that  the  chargeback  system  should  be  perceived 
as  being  fair  and  reasonable.  %  third  desirable  character¬ 
istic  of  a  chargeback  system  is  that  it  should  separate 
information  systems  efficiency-related  issues  from  user 
utilization  of  the  system.  Information  Systems  should  be 
held  responsible  for  its  inefficiencies.  Clearly,  closing 
at  month-  or  year-end  any  over-  or  under-absorbed  cost  vari¬ 
ances  to  the  user  usually  accomplishes  no  useful  purpose. 
[Ref.  21] 

The  issues  involved  in  charging  for  information  systems 
maintenance  and  systems  development  are  fundamentally 
different  from  those  of  operations.  A  professional  contract 
should  be  prepared  for  such  expenditures  as  though  it  were  a 
relationship  with  an  cutside  software  company. 

The  establishment  of  the  informaton  services  activity  as 
a  Profit  center  is  a  third  metnod  of  management  control. 
This  approach  puts  pressures  on  the  information  systems 
function  tc  hold  costs  down  by  stressing  efficiency  and  to 
market  itself  aggressively  inside  the  organization. 
Establishing  information  systems  as  a  profit  center, 
however,  has  problems.  Because  of  geography,  shared  data 
files,  and  privacy  and  security  reasons,  many  users  can  not 
go  outside.  In  the  short  run,  the  profit  center  approach 
leads  tc  higher  user  costs  because  a  "profit"  figure  is 
added  to  the  user  costs.  A  deceptively  intriguing  approach 
on  the  surface,  underneath  it  has  many  pitfalls.  [Ref.  22] 
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The  investment  center  approach  is  similar  to  the  profit 
center  approach.  The  critical  difference  is  that  the  infor¬ 
mation  systems  function  is  made  fully  responsible  for  the 
assets  employed  and  is  forced  to  make  appropriate  trade-offs 
of  investment  versus  additional  profits.  This  produces 
strong  motivations  to  delay  capacity  expansion  and  risk 
serious  erosion  in  service  provided.  Another  problem  is 
that  cf  focusing  only  on  hardware  as  an  asset  and  not 
considering  the  software.  A  stand  alone  investment  center 
can  be  perceived  as  being  fully  organizationally  neutral. 
When  set  up  as  a  profit,  or  investment  center,  the  transfer 
price  becomes  a  critical  issue.  The  strengths  and  weak¬ 
nesses  of  transfer  pricing  for  the  information  systems  func¬ 
tion  are  very  similar  to  those  found  in  transfer  pricing  in 
general.  with  cost-based  pricing,  the  profit  center  and 
cost  center  are  similar  since  profits  can  only  be  earned  on 
internal  sales  by  generating  positive  efficiency  variances. 

C.  THE  lAVI’S  ADP  CH1BGEBACK  TEST 

Before  the  creation  of  NAVDAC,  the  Data  Processing 
Service  Centers  (DPSCs)  provided  ADP  support  on  a  no-charge 
basis.  To  realize  "the  performance  and  economic  benefits 
attainable"  from  a  NAfiDAC,  an  ADP  chargeback  test  was  insti¬ 
tuted,  in  April  1978,  at  NAfiDAC  San  Diego.  During  the 
initial  phase,  statistics  were  gathered  on  usage  of  the 
MARC  AC ' s  resources  by  its  customers.  At  the  beginning  of 
the  second  phase,  the  customers  were  given  funds  based  on 
the  utilization  statistics  gathered  during  the  first  phase. 
These  funds  were  to  be  used  to  reimburse  the  NAfiDAC  for  ADP 
support . 

Permission  to  deviate  from  the  Resources  Hanagement 
System  was  granted  by  the  Comptroller  of  the  Navy  so  that 
indirect  costs  could  be  passed  on  to  customers  excluding  the 
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overhead  items  of  administration,  electricity,  and  mainte¬ 
nance  of  real  property.  The  test  algorithm  allowed  the 
NASD  AC  to  charge  premiums  or  grant  discounts  based  on  the 
customer’s  job  priority  and  shift  during  which  the  job  was 
run.  These  premiums  and  discounts  were  based  on  a  matrix  of 
percentages  of  full  ccst  incorporating  both  requested  turn¬ 
around  time  and  the  requested  shift.  Such  flexible  pricing 
allowed  the  customer  to  weigh  the  importance  of  his  job 
against  the  amount  of  money  he  was  willing  to  pay.  Because 
of  a  legal  opinion  of  the  Head,  Budget  Policy  Branch, 
NAVCOMPT,  all  percentages  in  the  matrix  were  to  be  set  to 
100.  Ihe  resulting  single  charge  nullified  the  most  impor¬ 
tant  feature  of  the  test.  The  opinion  was  that  NAVCOMPT 
would  support  a  chargeback  system  which  allocated  all  actual 
costs  directly  associated  with  the  operation  of  the  computer 
facility.  The  overhead  items  previously  mentioned  were  to 
be  excluded.  The  charge  was  to  be  based  upon  the  cost  of 
providing  the  service,  not  upon  the  economic  value  of  the 
services.  Neither  variable  prices  nor  shift  differentials 
were  allowable. 

D.  BANAGEBE1T  COHTBCI  AND  BUDGETING 

The  foundation  of  the  information  services  management 
control  process  is  the  budgeting  system.  Its  first  objec¬ 
tive  is  to  provide  a  mechanism  for  appropriately  allocating 
scarce  financial  resources.  The  budgeting  process  ensures 
fine-tuning  in  relation  to  staffing,  hardware,  and  resource 
levels  takes  place.  A  second  important  objective  of 
budgeting  is  to  set  the  specific  goals  and  possible  short¬ 
term  achievements  of  the  information  systems  activity. 
Finally,  the  budget  extablishes  a  framework  around  which  an 
early  warning  system  for  negative  deviations  can  be  built. 
Without  a  budget,  deviations  in  a  deteriorating  ccst 
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situation  nay  not  be  detected  in  tine  for  corrective  action. 

Effective  monitoring  of  financial  performance,  however, 
requires  a  variety  of  tools,  most  of  which  are  common  to 
other  settings.  These  normally  include  a  series  of  reports  • 

which  highlight  actual  performance  versus  plan  with  vari¬ 
ances.  Nonfinanciai  controls  are  also  important  in  assuring 
management  that  day-to-day  operations  are  on  target.  These 
include  user  surveys,  reports  which  monitor  staff  turnover  • 

trends,  and  reports  on  development  projects.  The  type  of 
data  needed  varies  widely  from  organization  to  organization. 
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V.  H&  TO  BE  £B£  bole  OP  OPEBATIOHAL  AUDITING 


A.  IHTBCDOCTIOH 

Auditing  today  differs  considerably  from  what  it  was 
centuries  ago.  In  fact,  it  is  also  different  from  what  was 
practiced  in  the  early  twentieth  century.  Whereas  the 
purpose  cf  accounts  examination  used  to  be  to  detect  fraud 
and  certify  the  accuracy  or  records,  the  primary  purpose  now 
is  to  express  opinions  on  the  fairness  of  presentation  of 
the  financial  statements.  The  purpose  of  auditing  the 
performance  of  management  used  to  be  to  ensure  compliance 
with  laws,  policies,  and  regulations.  The  primary  purpcse 
now,  however  is  to  improve  managerial  performance  and  to 
determine  whether  an  organization,  activity  or  program  has 
teen  managed  economically,  efficiently,  or  effectively. 

Operational  auditing  is  the  term  used  in  this  thesis  in 
reference  to  auditing  involving  work  other  than  financial 
statement  examinations  to  evaluate  the  efficiency  and 
economy  cf  a  given  operation.  Such  an  audit  is  often  called 
a  management  audit  in  the  auditing  literature. 

Because  there  is  a  lack  of  standard  terminology 
concerning  the  types  of  audits,  the  principal  forms  of 
government  auditing  are  described  below.  [Bef.  23]. 


1.  Financial  and  compliance — determines  (a)  whether  the 
financial  sf  ateients  of  an  audited  entity  present 
fairly  the  financial  position  and  results  of  finan¬ 
cial  operations  m  accordance  with  generally 
accepted  accounting  principles  and  (b)  whether  the 
entity  has  complied  with  laws  and  regulations  that 
may  have  a  material  effect  upon  the  financial  state¬ 
ments. 


2. 


Sconomv  and  efficiency — determines  (a)  whether  the 
ISflfy  iS  maEiginT^fia.  utilizing,  its  resources,  (such 


as^personnel ,  property. 


spacl). 


_  „ _ .  ,  _ „  .  „ _ ,  economically  and 

efficiently.  (bj  the  causes  of  inefficiencies  or 
uneconomical  practices,  and  (c)  whether  the  entity 
has  complied  with  laws  and  regulations  concerning 
matters  of  economy  and  efficiency. 
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Program  results — determines  (a)  whether  the  desired 
feSuiEE  of  EEfefits  established  by  the  legislature 
or  other  authorizing  body  are  being  achieved  and  (b) 
whether  the  agency  has  considered  alternatives  that 
might  yield  desired  results  at  a  lower  cost. 


An  audit  may  be  either  one  of  these  types  or  a  combina¬ 
tion  of  any  of  them.  A  comprehensive  audit  includes  all  of 
them.  The  operational  audit  is  a  subset  of  an  expanded 
scope  or  comprehensive  audit  whenever  such  broad  audit  work 
is  reguired.  This  subset  is  also  refered  to  as  ar.  economy 
and  efficiency  audit. 

Operational  auditing  is  planning  for,  obtaining,  and 
evaluating  sufficient  relevant  evidence,  by  an  independent 
auditor,  to  determine  whether  an  entity's  management  cr 
employees  have  carried  out  appropriate  laws,  regulations, 
policies,  procedures,  or  other  management  standards  for 
properly  using  its  resources  in  an  efficient  and  economical 
manner.  From  the  evidence  on  the  audit  objective,  the 
auditor  comes  to  a  conclusion  and  reports  to  a  third  party, 
with  sufficient  evidence  in  the  report  to  convince  the  third 
party  that  the  conclusion  is  accurate,  and  with  a  recommen¬ 
dation  for  the  possible  correction  of  any  deficiencies. 

Accountability  and  attest  are  words  often  found  in 
auditing  literature  and  sometimes  are  used  to  mean  the  same 
thing.  They  are  related,  but  they  are  not  the  same. 
Persons  in  organizations  are  accountable  and  report  to  seme 
outside  or  higher  level  of  authority.  When  reliability  and 
acceptability  are  reguired  of  the  accountable  party,  an 
independent  person  attests  to  the  information  through  an 
audit.  The  one  who  receives  the  audit  report  may  be  a 
higher-level  manager  within  the  same  organization,  the  board 
of  directors,  the  stockholders,  the  Congress,  the 
public — any  individual  or  group  to  whom  the  management  or 
employees  of  an  organization  are  accountable. 
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Operational  auditing  includes  all  internal  operations  of 
an  organization  accountable  to  some  higher  level.  It 
includes  operations  fcr  accounting,  purchasing,  personnel, 
research  or  any  other  activity  conducted  by  the  organiza¬ 
tion.  Operational  auditing  attempts  to  determine  for  the 
accountable  entity  the  best  use  of  manpower,  material, 
machinery,  and  information. 

Auditors  of  management  activities  in  government  must 
follow  the  1981  revision  of  Standards  for  Audit  of 
Governmental  Organizations ,  Programs .  Activities.  and 
Functions  by  the  Comptroller  General  of  the  United  Staes. 
These  Standards,  known  as  the  "yellow  book",  have  been 
developed  in  cooperation  with  other  federal,  state,  and 
local  auditing  orgarizati cns,  as  well  as  the  American 
Institute  of  Certified  Public  Accountants.  These  standards 
include  a  detail  discussion  of  the  following  items: 

1.  Scope  of  Audit  Work 

2.  General  Standards 

3.  Examination  and  Evaluation  {Field  Work)  and 
Reporting  Standards  for  Financial  and  Compliance 
Audits 

4.  Examination  and  Evaluation  Standards  for  Economy  and 
Efficiency  Audits  and  Program  Results  Audits 

5.  Retorting  Standards  for  Economy  and  Efficiency 
Audits  and  Program  Results  Audits 

Conclusions  depend  upon  the  evidence  obtained  on  the  audit 
objective  and  are  based  on  three  common  elements: 

1.  An  appropriate  standard 

2.  The  actions  of  individuals  or  organizations  that 
either  did  or  did  not  follow  the  standard 

3.  The  results  brought  about  by  the  actions  of  organi¬ 
zations  or  individuals  following,  or  not  following, 
the  standard. 
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Although  operational  auditing  is  not  a  new  technique,  it 
is  a  subject  of  increasing  interest.  The  operational  audit 
extends  traditional  audit  approaches  and  techniques  to 
examine  policy,  procedure  and  practice  in  industrial  and 
governmental  operations.  The  organizational  structure  and 
administrative  controls  are  examined  with  the  purpose  of 
determining  where  policies  and  operating  controls  vary  from 
those  essential  to  the  success  of  the  industry  or  agency. 

(lore  specifically,  the  operational  auditor  looks  for: 
[Bef.  24] 


1.  The  existence  of  those  general  policies  which  deter¬ 
mine  the  organization  requirements — the  functions 
and  activities  essential  to  the  conduct  of  the  busi¬ 
ness  cr  governsent  agency. 

2.  Indications  that  people  have  been  designated  tc 
perform  each  cf  these  functions  and  that  the  scope 
of  their  action  and  power  of  decision  is  both 
defined  and  understood. 

3.  Predetermined  goals  or  planned  accomplishments  for 
each  control  afea,  including  standards,  estimates, 
budgets,  forecasts  or  other  criteria  to  serve  as 
yardsticks  for  comparison  and  evaluation. 

4.  An  efficient  accounting  system  accumulates  informa¬ 
tion  following  the  functional  organization  lines  and 
affords  comparison  between  actual  and  planned 
results. 

5.  A  meaningful  system  of  management  information  that 

Provides  essential  and  timely  decision-making  data 
o  all  three  levels  of  management — top,  middle  and 
supervisory.  It  should  communicate  current  results 
as  well  as  future  plans. 

6.  Contrcl  department  statistics  and  financial  trends 
over  a  period  of  time  that  may  indicate  a  deteriora¬ 
tion  in  the  effectiveness  of  controllable  activi¬ 
ties. 

7.  Good  communications  throughout  the  whole  system  of 
administrative  control  and  evidence  that  its  purpose 
is  being  achieved.  The  object  is  to  determine  and 
transmit  what  currently  should  be  done  and,  in  the 
light  of  later  developments,  reappraise  and  communi¬ 
cate  the  planned  course  of  corrective  action  to  be 
taken  in  the  future. 


Seme  of  the  benefits  that  can  be  gained  from  an  opera¬ 
tional  audit  include:  £Bef.  25] 
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An  objective  professional  review  of  the  complete 
operations. 

2.  A  substantiated  inventory  of  weaknesses  and  unfavo¬ 
rable  trends  with  some  idea  of  the  impact  of  these 
deficiencies  on  revenues  and  costs. 

3.  An  opportunity  to  eyaluate.  present  conditions.  set 
targets  for  corrective  action,  commit  financial  and 
personnel  resources  and  assign  responsibility  for 
accomplishment. 

4.  Creation  of  an  atmosphere  for  improvement  and 
constructive  thinking  at  all  management  levels. 

Operational  auditing  serves  the  needs  of  managers  to  be 
objectively  informed  about  conditions  in  the  units  under 
tneir  control.  Managers  need  a  means  for  detecting  problems 
and  opportunities  for  improvement.  Operational  auditing  is 
a  specialized  management  tool  with  a  separate  role  from 
established  management  information  sources.  Its  purpose  is 
to  create  confidence  that  things  are  going  well  or  to 
discover  problems  or  opportunities  for  improvements  on  the 
basis  of  investigaticr. 

A  key  feature  of  operational  auditing  is  that  it  is 
based  on  evidence--not  personal  opinion  unsupported  by 
factual  evidence.  Judgement  is  an  essential  part  of  the 
final  results,  but  its  value  comes  only  after  facts  have 
been  gathered  and  compared  with  standards. 

An  operational  audit  is  not  designed  to  evaluate  people 
nor  can  it  be  expected  to  provide  specific  solutions  tc  any 
particular  problem  or  weakness.  On  the  other  hand,  opera¬ 
tional  auditors  should  make  recommendations,  based  upon 
their  experience,  fcr  corrective  action.  It  must  be  made 
clear,  however,  that  the  recommendations  are  strictly  propo¬ 
sals  and  such  comments  are  to  be  acted  upon  or  not  acted 
upon  only  as  management  chooses. 

The  auditor  will  encounter  some  situations  in  which  no 
definite  recommendation  may  be  possible — either  because  of  a 
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lack  of  qualifying  experience  or  the  facts  may  not  permit  a 
specific  recommendation.  Sometimes  the  most  effective  solu¬ 
tions  require  analysis  and  research  into  alternative  courses 
of  action. 

Table  I  presents  some  of  the  major  characterics  of 
financial  and  operational  auditing. 

B.  E VOIOTIOM  OF  IHT1BNAL  AUDITING 

During  its  early  history,  internal  auditing  was  used 
primarily  tc  detect  carelessness  or  other  irregularities  on 
the  part  of  bookkeepers  and  others  charged  with  the  duty  of 
recording  transactions.  If  internal  auditing  had  not  grown 
with  the  change  in  character  of  business,  it  would  net  be  of 
value  to  management  today.  It  was  recognized  near  the  end 
of  the  nineteenth  century  that  internal  auditing  could  serve 
broader  purposes  than  sere  checks  of  accuracy  of  accounting 
and  statistical  data.  Thus  the  profession  began  to  develop 
in  a  direction  which  has  led  to  its  now  being  recognized  as 
one  of  the  outstanding  branches  of  management  control. 
£Bef .  26] 

Internal  auditing  refers  to  a  series  of  processes  and 
techniques  through  which  an  organization's  own  employees 
ascertain  for  the  management,  by  means  of  first-hand, 
on-the-jcb  observation,  whether  (a)  established  management 
controls  are  adequate  and  effectively  maintained;  (b) 
records  and  reports — financial,  accounting,  and 
otherwise — reflect  actual  operations  and  results  accurately 
and  promptly;  and  (c)  each  division,  department  or  other 
unit  is  carrying  out  the  plans,  policies,  and  procedures  for 
which  it  is  responsible.  [ Bef .  27] 

The  internal  auditor's  work  involves  constant  surveil¬ 
lance  of  such  functions  as  policies;  accounting  and  oper¬ 
ating  procedures;  systems  of  internal  control;  care. 
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TABLE  I 

Characteristics  of  Auditing  Types 


Financial  Auditing  Evaluates  financial  controls 

and  transactions  to  express 
an  opinion  on  financial 
stateaents  as  they  disclose 
or  do  not  disclose  a 
true  and  fair  viev 

Reguires  judgement 

Measures  against  auditing 
standards  and  procedures 

A  restrospective  viewpoint 

Employs  generally  accepted 
accounting  principles 

Audit  independence  essential 

Opinion  for  outsiders  and 
management 

Performed  at  least  annually 


Operational  Auditing  Evaluates  efficiency  of  use 

of  resources,  reviews  inter¬ 
nal  management  systems  and 
structure.  Deals  with  all 
measurably  aspects  of  the 
organization. 

Defines  problems  and  oppor¬ 
tunities  for  improvement 

Reguires  judgement 

Based  on  evidence  rather 
than  opinion 

Management  orientated 

Present  and  future 
operations 

Employs  standards  of  the 
organization  or  industry 
for  evaluating 
management  performance 

Audit  is  independent 

Does  not  render  opinions 

Periodically  performed  tut 
with  indefinite  timing 
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protection,  storage,  and  destruction  of  records;  care  and 
storage  cf  the  organizations  valuables;  reliability  of  books 
of  record  and  accounting  and  statistical  reports;  and 
compliance  with  all  laws  and  regulations. 

The  internal  auditor  must  have  facts  as  the  basis  of  any 
report.  These  facts  are  obtained  by  a  detail  analysis  of 
the  situation.  After  reviewing  the  facts,  the  auditor  must 
appraise  them,  make  judgements  on  them  using  his  knowledge 
of  policies  and  objectives,  and  make  recommendations  for 
solving  any  problems  found.  Since  the  auditor  has  no 
authority  to  implement  solutions,  he  must  convince  manage* 
ment  to  do  so. 

There  is  increasing  interest  in  operational  auditing  on 
the  part  of  internal  auditors  as  well  as  by  accountants  in 
public  practice.  The  development  of  internal  operational 
auditing  varies  widely  between  organizations  because  of 
company  size,  size  of  audit  staff,  and  degree  of  management 
acceptance.  There  is  a  need  to  get  the  concept  o*  opera¬ 
tional  auditing  across  to  the  operating  personnel  at  all 
revels.  This  is  important  because  a  lack  of  understanding 
or  an  unwillingness  to  give  the  recommendations  fair  consid¬ 
eration  makes  the  audit  effors  worthless.  [Ref.  28] 

An  operational  audit  provides  a  service  to  the  executive 
management  by  providing  impartial  appraisals  of  the  perform¬ 
ances  of  operating  groups  to  the  extent  of  the  auditors 
gualif ications  to  render  opinions.  Efforts  to  help  manage¬ 
ment  to  do  a  better  job  through  aiding  the  understanding  of 
the  econcnic  factors  in  their  decisions  helps  the  organiza¬ 
tion  as  a  whole.  The  objective  of  the  operational  audit  is 
to  see  that  management  has  at  hand  all  the  tools  available 
to  help  in  deciding  which  are  most  profitable  alternatives. 
This  may  involve  evaluating  information  flowing  in  to  top 
management  as  well  as  the  way  it  is  handled  by  staff  groups. 
Evaluating  how  objectives  are  being  met  must  be  done  along 
with  how  those  objectives  were  set  in  the  first  place. 
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C.  ROLE  OP  AN  OPERATIONAL  AUDITOR 

The  role  of  the  operational  auditor  is  not  a  simple  one. 
The  ability  to  correctly  identify  operating  problems  and 
explain  them  to  senior  management  often  requires  a  high 
order  of  skill. 

An  auditor  must  get  the  willing  cooperation  of  the 
people  being  audited.  They  must  be  convinced  that  the 
audit's  purpose  is  to  help  them.  A  way  to  begin  is  by 
sitting  down  with  the  manager  or  supervisor  of  the  facility 
that  is  to  be  audited.  An  explanation  of  what  action  is 
planned  and  what  accomplishment  is  expected  should  be  made. 
The  auditor  should  make  an  effort  to  learn  what  problems  the 
people  being  audited  might  want  to  have  studied.  More  prob¬ 
lems  will  be  discovered  during  the  audit  if  leading  ques¬ 
tions  are  asked  to  get  people  talking  about  their  jobs. 

The  auditor  must  take  the  time  necessary  to  do  the  job 
thoroughly.  When  time  is  limited,  the  activity  should  be 
divided  into  smaller  operations  to  allow  the  auditor  to  be 
thorough  with  those  that  are  audited.  The  auditor  must  be 
aware  of  the  dangers  cf  not  understanding  an  operation  well. 
Something  which,  on  the  surface,  seems  wrong  may  be  all 
right  in  light  of  the  facts.  Conversely,  something  may  be 
basically  wrong  that  initially  seems  acceptable.  When  it  is 
suspected  that  something  is  wrong,  a  recommended  practice  is 
to  discuss  the  finding  first  with  the  person  most  directly 
concerned  before  approaching  higher  levels  of  supervision. 
Another  suggustion  is  to  try  to  recommend  a  solution  to  any 
problem  discussed.  After  all,  if  a  situation  is  thought  to 
be  wrong,  there  must  be  some  associated  idea  of  what  is 
right. 

It  is  not  uncommon  to  finish  an  operational  audit  and 
still  feel  that  there  were  other  things  that  should  have 
keen  done.  At  the  beginning  of  the  audit,  auditors  spend 


the  necessary  time  tc  indoctrinate  themselves.  A  lot  of 
time  is  spent  reviewing  specific  activities  before  they  are 
understood  well  enough  to  know  if  suggestions  are  to  be 
made.  As  an  audit  is  completed,  the  audit  program  is 
revised  to  incorporate  new  steps  deemed  necessary.  These 
revisions  are  essential  to  ensure  that  what  is  accomplished 
is  what  should  be  accomplished.  No  matter  how  advanced  or 
sophisticated  a  particular  brand  of  operational  auditing  may 
be,  there  is  room  for  improvement.  A  failure  to  plan  and 
strive  rcr  that  improvement  is  a  failure  to  properly  carry 
out  the  duties  as  auditors. 

D.  PLAN HI  KG  AN  OPER A1I0NAL  AUDIT 

The  output  of  an  operational  audit  is  either  a  report  or 
a  carefully  structured  briefing.  This  output  must  include 
all  cf  the  essentials  about  an  auditor's  findings.  An 
auditor  must  think  about  the  report  during  the  planning 
stage,  plan  what  will  go  into  the  report  and  do  audit  work 
that  will  get  the  necessary  information  for  the  report  if  an 
efficient  operational  audit  is  to  be  done. 

Planning  is  an  important  part  of  every  management  under¬ 
taking,  and  is  equally  important  in  operational 
auditing.  Thinking  what  needs  to  be  done,  setting  it 
out  in  a  plan,  and  then  following  that  plan  to  conclu¬ 
sion  is  the  best  way  to  complete  a  job  satisfactorily  in 
the  least  possible  time.  To  audit  without  a  plan  can 
result  in  a  lot  cf  false  starts  and  wasted  effort. 
Consequently,  auditors  should  have  a  well  thought-out 
plan  rcr  every  assignment.  [Bef.  29] 

This  planning  of  the  report,  however,  is  begun  after  the 
auditor  has  observed  conditions  where  it  appears  that  costs 
can  be  reduced  or  results  improved.  The  observed  condition 
represents  the  basic  premise  around  which  a  finding  is 
built.  Thus,  it  should  be  the  focal  point  for  the  develop¬ 
ment  cf  plans  for  conducting  the  audit  and  collecting  the 
necessary  icformation.  [Bef.  30] 
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Preliminary  survey  work  is  usually  needed  for  effective 
operational  auditing  planning.  The  extent  of  such  prelimi¬ 
nary  work  depends  on  how  familiar  the  auditors  are  with  the 
activity  or  function  being  reviewed  and  whether  an  area  for 
detailed  audit  has  been  identified.  During  the  survey  the 
following  actions  occur:  £Bef.  31] 

1.  The  envisioned  finding  is  identified  and  clearly 
defined. 

2.  Sources  of  information  are  identified  for  use  in 
developing  the  audit  program  report. 

3.  Audit  techniques  for  further  development  of  the 
envisioned  finding  are  tested. 

4.  Staffing  requirements  and  the  scope  of  audit  work, 
including  audit  sites ,  are  considered. 

Several  factors  need  to  be  considered  when  deciding  the 
scope  of  the  audit.  One  is  whether  the  projects  or  trans¬ 
actions  being  audited  are  intended  to  represent  a  statis¬ 
tical  sample  so  that  audit  findings  can  be  projected  to  an 
entire  program.  The  scope  of  work  might  also  be  influenced 
by  available  resources  in  terms  of  staff  and  dollars,  and  by 
the  time  constraints.  The  objective  is  to  do  only  what  is 
necessary  to  clearly  show  any  possible  bad  effect  and  to 
develop  a  convincing  case.  Consideration  should  also  be 
given  to  making  pilot  studies  before  embarking  on  a  detailed 
audit.  The  pilot  study  at  one  or  more  locations  would 
provide  additional  knowledge  of  operating  procedures  and 
test  the  proposed  audit  techniques. 

There  are  no  step-by-step  procedures  for  doing  an  opera¬ 
tional  audit.  There  are,  however,  certain  things  that  need 
to  be  done.  While  the  approach  is  not  as  uniform  as  in  a 
financial  audit,  it  should  at  least  be  systematic.  The 
planning  should  culminate  in  an  audit  program.  Each  program 
must  be  tailored  to  fit  each  audit,  yet  certain  elements 
should  be  always  present.  The  program  should  briefly 


summarize  the  areas  tc  be  audited  and  make  a  general  state¬ 
ment  as  to  how  the  required  information  will  be  obtained. 
It  should  also  state  the  expected  completion  date. 

Because  development  of  a  finding  is  frequently  ar.  evolu¬ 
tionary  process,  audit  programs  should  be  periodically 
updated  as  work  progresses.  If  conditions  or  findings  are 
not  as  anticipated,  the  plan  must  be  revised  or  the  audit 
discontinued.  Any  changes  to  audit  scope  should  be  make  a 
part  of  the  program.  Economy  and  efficiency  audits  are  the 
ones  where  plans  are  most  likely  to  change  as  the  audit 
progresses,  so  the  planning  of  such  audits  must  be  flexible. 

For  economy  and  efficiency  audits,  the  goal  of  the  orga¬ 
nization  to  be  examined  is  whether  certain  functions  can  be 
performed  at  less  cost  without  degrading  the  end  result  of 
the  work.  For  example,  suppose  that  an  auditor  is  given  the 
assignment  of  reviewing  the  maintenance  function  of  an 
airline  to  see  if  the  cost  can  be  reduced  without  in  any  way 
jeopardizing  safety  or  degrading  passenger  service.  A 
further  supposition  is  that  the  airline  has  a  huge  warehouse 
full  of  aircraft  tires.  Inquiry  shows  that  there  are  enough 
tires  on  hand  to  last  the  airline  for  five  years  at  the 
current  rate  of  consumption.  Now  the  auditors  work  must  be 
planned.  A  finding  that  the  airline  is  overstocking  tires 
and  should  reduce  its  inventory  will  probably  be  visualized. 
The  audit  plan  should  be  similar  to  the  following 
illustration:  [Bef.  32] 

1.  Authority  Beyiew  delegations  of  authority  to  the 

maintenance  department  to  see  what 
authority  they  nave  to  buy  tires,  and 
whether  they  have  exceeded  their 
authority. 

2.  Goal  Determine  what  the  goal  of  the  mainte¬ 

nance  unit  is  with  regard  to  mainte¬ 
nance  of  tires.  (It  probably  is  to 

frovide  the  tires  needed  to  keep 
ircraft  supplied  with  new  tires  wnen- 
ever  needed  without  investing  any  more 
mcney  than  necessary  in  tire  inven¬ 
tory/. 
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3.  Condition 


This  is  what  the  auditor  observed  in 
the  survey.  The  airline  appears  to 
haye  far  more  tires  than  it  needs--tut 
this  must  be  checked  out.  The  auditor 
needs  to  sake  inquiries  to  find  out 
how  the  airline  acquired  these  tires 
and  whv.  A  decision  will  then  have  to 
be  made  regardinq  whether  there  was  a 
reasonable  basis  for  doing  so. 

4.  Effect  The  auditor  will  want  to  compute  how 

such  can  be  saved  by  reducing  tne 
stock  of  tires  to  a  reasonable  level. 
This  will  probably  include  obtaining 
some  criterion  for  determining  what  a 
reasonable  level  is.  There  might  be  a 
plan  to  see  what  other  airlines  use  as 
a  basis  for  stocking  tires  to  get  a 
criterion.  As  an  alternative,  a  check 
cculd  be  made  to  see  how  long  it  takes 
tc  reorder  tires  and  base  the  stocking 
level  criteria  on  what  quantity  is 
needed  to  provide  stock  between 
reasonable  reorder  periods.  for 

instance,  it  might  be  concluded  that  a 
three-months  supply  of  tires  plus  a 
reasonable  safety  level  is  all  that  is 
needed  to  meet  the  maintenance  depart¬ 
ment's  goals  and  it  might  therefore  be 
suggested  that  quantity  of  stock  is 
the  criterion  for  the  inventory  level. 

5.  Procedures  The  auditor  will  want  to  find  out  what 

procedures  have  been  extablished  tc 
control  the  quantity  of  tires 

§urchased.  Such  procedures  should  be 

esigned  to  achieve  the  goal  that  the 
maintenance  department  has — presumably 
the  procedures  should  require  some 
method  of  determining  that  stocks  on 
hand  do  not  exceed  the  minimum  neces¬ 
sary  to  keep  operating  aircraft 
supplied  with  new  tires  as  needed* 

6.  Cause  The  auditors  work  should  look  into 

what  happened  that  resulted  in  the 
undesirable  condition.  .  .  .  65%  of 

the  time,  it  will  be  found  that  sound 

frocedures  exist  but  they  are  not 
ollowed.  In  some  cases,  procedures 
are  improperly  conceived  and,  if 
followed,  will  not  produce  th^  results 
intended  by  the  goals  established  for 
the  organization. 


While  the  above  outlines  the  planning  of  such  an  audit, 
the  work  would  not  be  done  in  that  order.  Item  3  would  be 
performed  first.  Next,  the  steps  needed  to  get  information 
for  items  1  and  2  would  be  performed.  This  is  practical 
since  this  work  takes  relatively  little  time  and  the 
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information  obtained  from  these  steps  can  often  explain  away 
the  condition  found  and  indicate  that  everything  is  all 
right.  Next,  the  auditor  must  find  out  what  the  procedures 
are  for  controlling  tire  inventories  and  determine  whether 
there  is  significant  effect.  This  is  usually  the  time- 
consuming  part  of  the  work  but,  if  there  is  not  a  signifi¬ 
cant  effect,  there  is  not  much  use  going  any  further.  Item 
6  (cause  of  the  problem)  would  follow  if  the  effect  is 
determined  to  be  significant. 

As  mentioned  previously,  auditors  will  frequently 
discover  in  pursuing  an  envisioned  finding  that  the  condi¬ 
tion  is  not  what  was  initially  observed.  Hhen  this  happens, 
the  audit  program  will  generally  need  to  be  revised.  To 
illustrate,  suppose  that  the  auditor  learned  that  the 
company  had  recently  acquired  another  airline  and  had  also 
been  authorized  to  add  several  more  flights.  Further 
suppose  that  in  checking  the  requirements  that  many  of  the 
tires  had  teen  purchased  (1)  to  cover  the  related  expected 
increase  in  tire  use,  and  (2)  to  provide  an  initial  inven¬ 
tory  for  a  new  plane  that  was  being  put  into  service.  Given 
these  new  requirements  the  tire  supply  may  be  justified.  If 
this  is  the  case,  further  audit  work  on  this  would  not  be 
warranted. 

If  the  auditors  were  very  inquisitive  and  began 
wondering  why  all  new  tires  were  used  and  none  were 
recapped,  and  they  knew  that  recapping  is  common  practice  in 
the  airline  industry,  they  might  visualize  that  the  airline 
could  save  considerable  money  by  recapping  tires  if  it  could 
be  done  without  jeopardizing  safety.  This  new  picture  of 
the  finding  requires  a  revision  of  the  audit  plan.  The 
revised  plan  should  be  something  like  the  following  example. 
[Eef .  33] 

1.  Authority  Seview  the  delegations  of  authority  tc 

see  what  responsibility  the 


2.  Goal 


3.  Condition 


4.  Effect 


5.  Procedures 


6.  Cause 


naintenance  department  has  been  given 
fcr  recapping  tires  and  whether  condi¬ 
tions  may  have  been  spelled  out  for 
recapping. 

Determine  what  goal,  if  any,  the  main¬ 
tenance  unit  has.  If  it  is  necessary, 
obtain  evidence  to  establish  an 
asserted  goal.  On  the  basis  of  infor¬ 
mation  obtained  from  other  airlines, 
the  asserted  goal  might  be  to  "use 
recapped  tires  as  often  as  the  casings 
permit.  " 


It  appear?  the  airline  gould  use 
recapped  tires,  but  the  auditors  will 
need  to  assure  that  it  can  be  done 
safely.  This  will  reguire  contacting 
ether  airline  companies  to  get  infor¬ 
mation  on  their  experience,  the  extent 
they  use  recapped  tires,  and  their 
criteria  for  recapping. 

The  auditors  will  want  to  compute  how 
much  money  can  be  saved  by  using 
recapped  tires.  They  will  need  to 
obtain  information  on  the  price  cf  new 
tires  versus  the  costs  associated  with 
recapping.  The  auditors  will  also 
need  to  obtain  information — from  other 
airlines — to  determine  the  average 
number  of  times  a  tire  can  be 
recapped. 

The  auditors  will  want  to  find  out 
what,  if  any,  procedures  the  mainte¬ 
nance  department  has  for  recapping 
tires.  These  procedures  should 

provide  criteria  for  determining  how 
often  and  under  what  conditions  tires 
can  be  safely  recapped. 

The  auditors'  work  should  be  suffi¬ 
ciently  extensive  to  determine  why 
this  condition  has  resulted.  In  this 
case  it  wculd  appear  to  result  from  a 
lack  of  procedures  for  recapping 
tires. 


The  audit  steps  and  information  requirements  of  this 
finding  differ  significantly  from  the  initial  audit  plan. 
This  example  also  illustrates  the  difficulties  auditors 
encounter  in  doing  operational  audits.  Even  with  the  best 
planning,  false  starts  often  cannot  be  totally  eliminated. 

Another  planning  consideration  is  the  engagement  letter. 
The  auditor  often  must  start  his  engagement  with  a  proposal. 
After  planning  and  preparing  the  proposal  letter,  it  becomes 


the  engagement  letter  when  signed  by  the  client.  The  iora 
and  structure  of  this  letter  are  critical.  The  introduction 
sets  the  tone  for  the  entire  letter.  It  should  be  formal 
and  forthright.  Specifics  included  in  the  opening  paragraph 
are  the  date  of  the  visit,  the  subject  of  the  study  and  the 
names  of  all  supervisory  personnel  encountered  during  the 
preliminary  survey.  The  statement  of  the  engagements  basic 
objectives  is  probably  the  most  critical  section.  The 
objectives  should  be  stated  simply  and  concisely  in  terms  of 
the  clients  definition  of  the  problem  or  opportunity.  The 
approach  should  be  a  clear  and  specific  statement  of  the 
work  plan.  It  should  omit  nonessential  details.  Unless  the 
anticipated  benefits  are  stated  clearly  and  confidently  the 
client  might  infer  that  there  are  doubts  in  the  auditors 
mind.  Frequently  in  proposals  to  government  agencies  there 
is  a  section  presenting  the  professional  qualifications  of 
the  auditors.  The  conclusion  should  end  in  a  positive  vein 
[fief.  34].  This  discussion  pertains  to  management  services 
but  will  apply  equally  well  to  proposals  and  engagement 
letters  for  operational  audits.  Public  accountants  require 
an  engagement  letter  for  approval  to  continue  the  audit 
beyond  the  preliminary  survey  and  testing  of  management  and 
internal  control.  In  most  government  audit  agencies,  since 
the  law  requires  that  examinations  be  made,  the  approval 
that  must  be  obtained  for  continuing  the  audit  is  from  a 
higher-level  authority  in  the  audit  agency. 
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71.  PHASES  OP  TH|  ADDII  FO  NOTION 


A.  IBTBCDDCTION 

To  be  successful  an  audit  oust  be  conducted  within  a 
sound  conceptual  framework  with  flexible  procedures.  Such 
an  audit  requires  analytical  ability,  ingenuity,  and  system¬ 
atic  procedures.  Each  operational  audit  is  unique.  There 
is  no  common  approach  and  the  factors  to  be  considered  will 
vary  as  much  as  the  approach.  Some  elements  that  suggest  a 
starting  place  are  these:  goals  and  objectives,  plans, 
organization,  operations,  controls,  systems  and  procedures, 
staffing,  facilities,  reports,  policies,  and  communications. 

Although  the  sources  of  information  that  are  available 
to  an  operational  auditor  depend  upon  the  auditors  skill, 
experience  and  training,  some  sources  are  common.  The 
people  in  the  unit  being  audited  are  the  prime  source.  A 
well-conducted  interview  is  often  the  most  efficient  tool 
available. 

Internal  documentation  can  also  be  a  major  source  of 
information.  Organization  manuals,  organization  charts, 
staff  memos,  policy  manuals,  training  manuals,  and  adver¬ 
tising  brochures  are  some  of  the  documents  that  may  be 
useful  in  addition  to  the  financial,  production,  cost  and 
budget  ones.  The  auditor  should  start  the  accumulation  of 
documents  early  in  the  assignment. 

pirect  observation  is  another  productive  source  of 
information.  By  consciously  observing,  the  auditor  becomes 
aware  of  problems  that  are  not  reflected  in  data. 
Observation  is  also  a  source  of  specific  examples  that  can 
be  used  to  illustrate  general  conclusions. 


According  to  Lindberg,  each  audit  assignment  has  the 
following  phases:  [  Bef.  35] 


1. 


2. 


3. 


4. 


5. 


6. 


7. 


The  first  step 
the  areas  ana 


in  an 
scope 


Preparation.  Th§  next  step  is  for  the  auditor  to 
b e Co I Sr 31x1 1 a r  with  corporate  plans,  policies,  and 
organization  as  they  relate  to  the  unit  or  area  to 
he  reviewed  and  to  acguaint  himself  with  relevant 
industry  information. 

initial  survey .  The  auditor  should  become  oriented 
mile  field  within  which  work  is  to  be  done  through 
discussions  with  key  people  there.  At  this  stage 
the  auditor  samples  aspects  of  the  work  and  the 
environment  of  the  field  of  inquiry. 

Research.  After  becoming  familiar  with  the  field  of 
Inquiry!  the  auditor  systematically  uncovers  the 
facts  about  the  operations,  assignments  of  responsi¬ 
bility,  and  plans  and  management  of  the  area.  This 
stage  requires  being  on  guard  against  attempting  tc 
dig  out  all  the  facts.  Since  it  is  probably  impos¬ 
sible  to  get  all  of  them,  the  auditor  should  concen¬ 
trate  on  getting  the  key  facts  and  those  that  are 
readily  available.  They  will  suffice  for  the  anal¬ 
ysis. 


Analysis. ,  After  gathering  the  key  facts  and  enough 
Sd'ditiOTal  infcimation  to  justify  the  formation  of 
conclusions,  the  auditor  is  in  a  position  to  analyze 
and  to  decide  whether  the  results  of  analysis 
indicate  true  cppor tunities  for  the  making  of 
improvemen  ts. 


Reporting.  At  this  stage  the  auditor  sums  up  the 
finding  in  writing  and  takes  care  to  define  the 
uncovered  problems  as  meaningfully  as  possible  in 
specifics  and  ccsts.  Although  report  preparation  is 
customarily  regarded  as  the  final  step,  the  auditor 
will  be  well  advised  to  start  it  on  the  first  day; 
the  surest  way  to  drag  it  out  is  to  wait  until  the 
end  of  the  study.  It  is  also  beneficial  to  discuss 
findings  with  the  manager  of  the  auditing  department 
before  submitting  the  report  to  a  higher  level. 


Justincation.  This  is  the  last  step  m  a  study, 
3ITS1  ChS  mast  critical.  At  this  point  such  chal¬ 
lenges  as  have  arisen  to  the  accuracy  or  worth  of 
the  findings  are  countered  orally  by  the  operations 
auditor,  usually  in  executive  meeting. 


To  reach  the  audit  objective  the  auditor  must  include 
all  of  the  above  steps  which  can  also  be  characterized  as: 

1.  The  preliminary  survey 

2.  The  review  of  management  control 


3.  The  detailed  examination 

4.  The  report  development 

These  fcur  phases  are  comparable  to  the  rive  steps  given 
by  the  American  Institute  of  Certified  Public  Accountants 
for  conducting  performance  evaluations: 

1.  Ascertaining  the  pertinent  facts  and  circumstances 

2.  Seekirg  and  identifying  objectives 

3.  Defining  problem  areas  or  opportunities  for  improve¬ 
ment 

4.  Evaluating  and  determining  possible  improvements 

5.  Presenting  findings  and  recommendations  [Bef.  36] 


B.  TEE  EBE1IHIHABY  SURVEY 

During  the  preliminary  survey  phase,  the  auditor  guickly 
obtains  background  and  general  information  on  all  aspects  of 
the  organization  being  considered  for  examination.  The 
working  knowledge  of  the  entity  gained  during  this  phase  is 
not  evidence--it  is  simply  descriptive  information.  It 
includes  historical  and  operating  information  as  well  as 
legislative  information  cn  governmental  organizations. 
Certified  Public  Accountants  (CPA)  approach  the  preliminary 
survey  a  litle  differently  from  governmental  auditors.  Ihey 
must  plan  for  a  request  for  proposal  for  the  contract  for 
the  engagement,  as  well  as  prepare  for  gathering  background 
information.  The  ccnclusicn  of  this  phase  becomes  the 
objective  for  the  next  phase.  It  also  becomes  the  basis  for 
determining  how  to  obtain  evidence  and  how  much  evidence  is 
needed  for  the  phase  that  reviews  management  control. 


C.  THE  BEVIES  OF  MAHAGEMENT  CCNTBOL 


One  purpose  of  the  second  phase  is  to  obtain  evidence  on 

the  three  elements  of  the  tentative  audit  objective - 

criteria,  cause  and  effect.  Criteria  represent  the  stan¬ 
dards  for  the  audit.  Causes  represent  management  or 
employee  actions  that  took  place  or  should  have  taken  place 
to  carry  out  the  appropriate  standard.  And  effects  repre¬ 
sent  the  results  of  the  measurement  of  the  causes  against 
the  criteria.  The  term  management  control  as  used  here 
includes  planning,  policy,  and  procedures  determination,  as 
well  as  the  actual  practices  carried  out  in  managing  an 
organization's  affairs.  Management  control  promotes  the 
effective  carrying  out  of  assigned  responsibility  as 
intended.  By  obtaining  evidence  on  the  tentative  audit 
objective,  the  auditor  determines  whether  there  is  a  basis 
for  a  detailed  examination.  By  determining  the  competency 
of  the  evidence,  tfce  auditor  can  also  determine  the  reli¬ 
ability  of  the  information  to  be  obtained  from  the  manage¬ 
ment  control  system. 

Any  good  management  control  system  follows  these  steps: 
setting  standards,  objectives,  goals,  or  procedures, 
determining  whether  the  standards,  objectives,  goals,  or 
procedures  have  been  appropriately  carried  out; 
appraising  the  results  of  such  carrying  out:  and  then, 
when  necessary,  taking  corrective  action.  The  principle 
underlying  these  steps  is  that  no  one  person  should  be 
in  complete  control  of  any  important  part  of  the  opera¬ 
tions  of  the  system,  [fief.  37  j 


The  basic  approach  is  tc  review  the  specific  flow  of 
procedures  and  practices  applied  to  a  specific  transaction 
or  item. 


D.  THE  DETAILED  EXAHIHATIOH 

I  foe  detailed  examination  phase  of  the  audit  function  is 
usually  thought  of  as  the  audit.  The  prior  two  phases. 
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however,  determine  what  is  to  he  done  and  how  it  is  to  he 
done.  Eeporting  the  results  of  the  audit  of  management's 
performance  concerning  efficiency  and  economy  will  he 
discussed  in  the  next  section. 

The  evidence  gathered  during  the  detailed  examination 
must  he  sufficient  as  well  as  competent,  material,  and  rele¬ 
vant  in  order  for  the  auditor  to  arrive  at  an  acceptable 
conclusicn  on  the  audit  objective  and  then  report  that 
conclusion.  Interviewing  knowledgeable  persons  generally 
provides  substantial  amounts  of  information  that  can  he  used 
as  evidence.  The  information  so  obtained  may  also  be  used 
to  supplement,  explain,  interpret,  or  contradict  information 
obtain  by  other  means. 

The  emphasis  in  operational  audits  in  data  processing 
environments  is  shifting  from  the  evaluation  and  verifica¬ 
tion  of  processing  results  (e.g.  data  files,  records, 
reports)  to  the  evaluation  and  verification  of  the  controls 
that  ensure  the  continuing  accuracy  and  reliability  of 
processing  results.  This  emphasis  is  resulting  in  new  audit 
approaches  and  techniques.  Many  of  the  controls  that  ensure 
the  accuracy  and  completeness  of  data  processing  results  are 
now  automated  and  can  no  longer  be  reviewed  and  verified 
through  direct  observation. 

Changing  application  systems  structure  presents  new 
problems  for  auditors.  [Ref,  38] 

1.  Input  transactions  are  being  entered  for  immediate, 
on-line  processing  from  remote  terminal  locations  in 
contrast  to  the  single-entry  point  batch  input, 
typical  of  earlier  years. 

2.  Applications  are  being  tied  together  so  that  a 
single  input  transaction  performs  multiple  func¬ 
tions.  Transactions  are  also  being  generated  within 
an  application  program  and  automatically  flow  into 
others. 
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3.  Audit  trails  in  bard  copy  fora  are  being  eliminated. 
For  example,  detailed  lists  of  input  transactions 
and  periodic  master  data  file  listings  are  being 
replaced  by  transaction  logs  on  magnetic  tape  that 
can  be  printed  if  a  need  arises,  and  by  interroga¬ 
tion  cf  on-line  data  bases. 

Auditing  in  this  environment  should  include  a  review  of: 
£Ref .  39] 

Manual  procedures  that  have  been  developed  to  conplement 
controls  internal  to  computer  application  programs 
(e.g.,  input  preparation,  input  control,  error  handling, 
and  output  balancing  and  reconciliiation) . 

Application  system  controls  internal  to  computer  appli¬ 
cation  programs  (e.g.,  data  validation,  control  total 
verification,  batch  or  transaction  balancing  and 
proofing,  and  error  identification  and  reporting)  . 

Data  filfs  and  repeats  produced  as  a  result  of  computer 
application  processing  (e.g.,  data  processing  master- 
files,  transaction  logs,  ana  output  reports). 

Auditing  these  areas  includes  a  review  of  controls  to 
determine  their  adeguacy,  tests  to  verify  controls,  and 
tests  to  verify  data  (i.e.,  masterfiles  and  reports)  . 

E.  THE  BEEGBT  DEVELOPMENT 

All  work  done  in  the  audit  function  leads  to  this  phase. 
The  conclusion  to  the  audit  objective,  which  has  been  devel¬ 
oped  in  the  detailed  examination  phase  from  evidence  gath¬ 
ered  in  that  phase,  is  converted  into  a  form  that  an 
interested  third  party  can  accept  and  understand.  There  is 
no  standard  way  for  presenting  results  of  an  operational 
audit.  There  are  some  basic  ideas,  however,  on  ways  to 
present  the  results. 

The  ’’report  controls”  standard  for  government  economy 
and  efficiency  audits  and  program  results  audits  is 
presented  below.  £Bef.  40] 
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The  report  shall  include: 

1.  A  description  cf  the  scope  and  objectives  of  the 
audit. 

2.  A  statement  that  the  audit  was  made  in  accordance 
with  generally  accepted  government  auditing  stan¬ 
dards. 

3.  k  description  of  material  weaknesses  found  in  the 
internal  control  system  (administrative  controls)  . 

4.  A  statement  of  positive  assurance  on  those  items  of 
compliance  tested  and  negative  assurance  on  those 
items  not  tested.  This  snould  include  significant 
instances  cf  ncncompliance  and  instances  of  or  indi¬ 
cations  of  fraud,  abuse,  or  illegal  acts  found 
during  or  in  connection  with  the  audit.  However, 
fraud,  abuse,  or  illegal  acts  normally  should  be 
covered  in  a  separate  report,  thus  permitting  the 
overall  report  to  be  released  to  the  public. 

5.  fieccmmendations  for  actions  to  improve  problem  areas 
noted  in  the  audit  and  to  improve  operations.  The 
underlying  causes  of  problems  reported  should  be 
included  to  assist  in  implementing  corrective 
actions. 

6.  Pertinent  views  of  responsible  officials  of  tne 
organization,  program,  activity,  or  function  audited 
concerning  the  auditors'  findings,  conclusions,  and 
recommendations.  When  possible  their  views  should 
be  obtained  in  writing. 

7.  A  description  cf  noteworthy  accomplishments,  partic¬ 
ularly  when  management  improvements  in  one  area  may 
be  applicable  elsewhere. 

8.  A  listing  of  any  issues  and  questions  needing 
further  study  and  consideration. 

9.  A  statement  as  to  whether  any  pertinent  information 
has  been  omitted  because  i  is  deemed  privileged  or 
confidential.  The  nature  of  such  information  should 
be  described,  and  the  law  or  other  basis  under  which 
it  is  withheld  should  be  stated.  If  a  separate 
report  was  issued  containing  this  information  it 
should  he  indicated  in  the  report. 


All  reportable  results  should  be  comparable  to  the  audit 
results,  and  should  be  stated  in  terms  of  criteria,  causes, 
and  effects.  Thus,  the  auditor  will  state  the  criteria  in 
terms  of  an  appropriate  standard  for  the  activity,  the 
causes  in  terms  of  what  were  the  actual  happenings  at  the 
time  the  audit  took  place  as  well  as  what  should  have  been 
happening  and  the  significance  of  the  results  on  not 
carrying  out  the  appropriate  standard. 


Recommendations  are  usually  brier  suggestions  by  the 
auditor  as  to  what  should  be  done  to  bring  about  improve¬ 
ments  in  performance.  Recommendations  are  not  requirements 
set  by  the  auditor  as  to  standards  that  should  be  followed 
by  the  entity.  The  management  of  the  organization  has  the 
responsibility  for  requiring  recommendations  to  be  followed; 
all  the  auditor  can  dc  is  suggest  the  basis  for  improvement. 

Before  preparing  a  final  report,  the  auditor  usually 
prepares  a  draft  report,  which  is  submitted  to  the  organiza¬ 
tion  concerned  with  the  audit,  for  their  comments  in  order 
to  be  sure  that  the  report  is  fair,  complete,  and  objective. 

Often,  the  auditor  develops  and  presents  a  summary  or 
digest  of  the  report  to  make  it  easier  for  the  reader  to 
understand  the  entire  report,  especially  if  the  report  is 
long. 

A  useful  example  of  the  graphic  flow  of  the  phases  of 
the  audit  function  for  an  operational  audit  is  shown  in 
tables  II,  III,  IV,  and  V  [Ref.  41] 


TABLE  II 

•The  Preliminary  Survey 


PHASE  CNE 

1.  Obtain  in  a  relatively  short  period  of  time 
background  and  general  information  on 
organization  ana  management  activity 
being  considered  for  examination. 

2.  Analyze  background  and  general 
information  to  obtain  relevant 
evidence--not  necessarily  sufficient, 
material  or  ccmpetent~on  one  or  more 
elements--criteria,  causes,  or  effects — of  a 
possible  audit  objective. 

3.  Assert  the  other  element  or  elements  in 
order  to  have  a  tentative  audit  objective. 

4.  Assert  alternative  criteria  and  other 
elements  on  related  management  activities 
to  establish  possible  alternative  audit 
objective. 

5.  If  possible  alternative  objective  is  to  be 
considered,  obtain  relevant  evidence,  if  no 
evidence  has  previously  been  obtained,  on 
one  or  more  elements  of  the  possible  audit 
objective  in  order  to  have  alternative 
tentative  audit  objective. 

6.  Summarize  evidence  and  assertions  on 
tentative  audit  objectives. 

7.  Conclude  from  relevant  evidence  and 
assertions: 


a) 


that  original  or  alternative 
tentative  audit  objective  can  be  used 
as  the  objective  for  the  review  phase,  if 
relevant,  material,  and  competent 
evidence  can  be  obtained  on  all  three 
elements  of  the  tentative  objective,  and 
(1)  what  types  of  relevant  material  and 
competent  evidence  will  be  needed  to 
determine  the  audit  objective,  and  (2) 
what  types  and  how  much  evidence 
will  be  needed  to  determine 
competency  of  evidence.  Proceed  to 
review,  or 


that  tentative  objectives  cannot  be  used 
because  evidence  would  not  be 
available  or  that  conditions  do  not 
warrant  continuation.  Withdraw  from 


engagement. 


TABLE  III 

The  Review  of  flanagement  Control 


PHASE  twc 

1.  Obtain  any  needed  additional  background 
information. 

2.  Obtain  relevant,  material,  and  c ompeterc 
evidence--not  necessarily  sufficient — ca 
tentative  audit  objectives  by  testing 
management  control  to  determine: 

a)  that  there  could  be  a  reasonable 
criteria. 

b)  that  some  particular  person  or  group  of 
persons  at  one  or  more  levels  or 
responsibility  could  cause  an  inefficient 
operation,  ana 

c)  that  the  effects  of  the  inefficient 
operation  are  significant. 

3.  Obtain  evidence  from  management  control 
system  on  the  competency  of  evidence  that 
must  come  from  system  if  additional  work 
is  to  be  done. 

4.  Determine  that  evidence  could  not  be 
obtained  on  all  three  elements  of  the 
tentative  audit  objective. 

5.  Summarize  evidence  and  conclude: 

a)  whether  the  developed  tentative 
audit  objective  can  be  a  firm 
objective  to  be  used  in  the  detailed 
examination  phase, 

b)  whether  evidence  that  must  be 
obtained  would  be  competent,  and 

c)  what  additional  evidence  must  be 
obtained  and  from  what  source  to  have 
sufficient  gompetent,  material  and 
relevant  evidence  to  come  to  a 
conclusion  on  the  audit  objective. 

Proceed  to  detailed  examination,  or 

d)  that  auditor  should  withdraw  from 
examination. 
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TABLE  IT 

The  Detailed  Examination 


PHASE  three 

1.  Obtain  any  additional  background  data 
needed. 

2.  Obtain  sufficient  competent,  material,  and 
relevant  evidence  to  determine: 

a)  the  acceptability  of  the  criteria  of  the 
audit  objective  and  that  any 

argument  against  the  criteria  can  be 
rebutted, 

b)  the  specific  action  or  lack  of  action  at 
levels  involved  in  the  management 
activity  that  caused  the  effects,  and 

c)  the  significance  of  the  effects. 

3.  Summarize  evidence  in  terms  of  criteria, 
causes,  and  effects. 

4.  Conclude  from  the  summarized  evidence 

that  the  effects  in  the  management  activity 
were  significantly  inefficient  when  the 
acticns  of  employees  and  management  are 
evaluated  against  the  criteria.  Proceed  to 
report  development. 

5.  Conclude  that  sufficient  evidence  could  not 
be  obtained  to  determine  an  appropriate 
criteria  on  the  management  activity, 
determinable  causes,  or  significant  effects 
or  that  other  conditions  warrant  that  the 
auditor  should  withdraw  from  engagement. 


TABLE  T 

The  Report  Development 


PHASE  FO  DR 

1.  Set  the  scene  through  background  or 
general  infortation  or  through  scope  of 
audit. 

2.  Communicate  conclusion,  stating  the 
significance  of  the  effects  caused  by  not 
following  a  proper  standard.  Sufficient 
evidence  on  criteria,  causes,  and  effects 
should  be  given  with  the  audit  objective  for 
the  reader  to  come  to  same  conclusion  as 

the  auditor. 

3.  State  recommendations,  usually  that  the 
criteria  should  be  followed  in  the  future  to 
obtain  best  results. 


VII.  CCBSIDE RATI OSS  £OR  AN  OPERATIONAL  AUDIT  OF  A  NAREAC 


A.  OVERVIEW 

An  operational  audit  of  a  NARDAC  can  provide  a  vital 
check  and  balance  on  the  organization  as  it  attempts  tc  meet 
cost  and  service  goals.  The  basic  purposes  of  the  audit  are 
to  ensure  that  measurable  standards  for  systems  development 
and  operations  functions  have  teen  developed;  to  ensure  that 
these  standards  are  being  adhered  to  by  the  various  depart¬ 
ments;  to  ensure  that  systems  are  designed  to  be  easily 
auditable  and  that  maintenance  changes  do  not  create  unin¬ 
tended  problems;  and  to  act  as  a  catalyst  for  improving 
operating  efficiency. 

The  NAREACs  are  incredibly  complex.  The  governing  regu¬ 
lations  are  intricate  and  perpetually  changing.  The  prag¬ 
matic  civil  service  management  tacks  new  procedures  onto  the 
old  and  maintains  the  same  basic  work  patterns.  The  civil 
servants  are  a  force  for  continuity  in  this  dynamic  opera¬ 
tion.  In  contrast,  the  military  managers  are  invariably 
committed  to  change.  When  making  recommendations  for 
improvements  as  the  result  of  an  operational  audit,  the 
auditor  must  be  aware  that  what  can  be  done  in  and  by  a 
NARDAC  is  limited  by  the  legal  and  political  framework  in 
which  it  functions.  The  lack  of  administrative  continuity 
increases  the  need  for  an  effective  internal  control  system. 

B.  INTERNAL  CONTROLS  IN  FEDERAL  GOVERNMENT 

In  1950,  the  Accounting  and  Auditing  Act  was  passed 
requiring,  among  other  things,  that  agency  heads  establish 
and  maintain  effective  systems  of  internal  control.  Since 
then,  the  General  Accounting  Office  (GAO)  has  issued 


numerous  publications  to  guide  agencies  in  establishing  and 
maintaining  effective  internal  control  systems.  While  the 
need  for  improved  internal  controls  has  continued,  develop* 
ment  of  effective  systems  has  teen  slow. 

In  the  past  decade,  numerous  situations  came  to  light 
that  dramatically  demonstrated  the  need  for  controls  as  the 
government  experienced  a  rash  of  illegal,  unauthorized,  and 
questionable  acts  which  were  characterized  as  fraud,  waste, 
and  abuse.  It  is  generally  recognized  that  good  internal 
controls  would  have  made  the  commission  of  such  wrongful 
acts  more  difficult.  Consequently,  increased  attention  is 
being  directed  toward  strengthening  internal  controls  to 
help  in  the  restoration  of  confidence  in  government  and  to 
improve  its  operations. 

The  Federal  Managers’  Financial  Integrity  Act  of  1S82 
requires  renewed  focus  on  the  need  to  strengthen  internal 
controls.  The  act  requires  periodic  evaluation  of  agency 
internal  control  systems  and  that  the  heads  of  executive 
agencies  report  annually  on  their  system  status.  These 
evaluations  are  to  be  made  pursuant  to  the  "Guidelines  for 
the  Evaluation  and  Improvement  of  and  Reporting  on  Internal 
Control  Systems  in  the  Federal  Government,”  issued  by  the 
Office  of  Management  and  Budget  in  December,  1982.  The 
reports  are  to  state  whether  systems  meet  the  objectives  of 
internal  control  and  conform  to  standards  established  by 
GAO. 

Standards  for  Internal  Controls  in  the  Federal 
Government,  issued  by  GAO,  presents  the  internal  control 
standards  to  be  followed,  and  covers  both  the  program 
management  as  well  as  the  traditional  financial  management 
areas.  GAO  will  issue  interpretations  and  revisions  to  the 
standards  as  may  become  necessary. 

The  following  is  GAO's  concept  of  internal  controls: 
(Ref.  42] 


67 


The  flan  of  organization  and  methods  and  procedures 
adopted  by  management  to  ensure  that  resource  use  is 
consistent  with  laws,  regulations,  and  policies;  that 
resources  are  safeguarded  against  waste,  loss.  and 
misuse;  and  that  reliable  data  are  obtained,  maintained, 
and  fairly  disclosed  in  reports. 


The  GAO  general  internal  control  standards  apply  tc  all 
aspects  cf  internal  controls.  Table  71  is  an  outline  of  the 
standards:  £Hef.  43] 


TABU  71 

GAO  General  Internal  Control  Standards 


1. 


2. 


3. 


4. 


5. 


Seasonable  Assurance .  Internal  Control  Systems 
are“To“ provIc[e~reasonable  assurance  that  the 
objectives  of  the  systems  will  be  accomplished. 

Supccrta tive  attitude.  Managers  and  employees 
are  To  la inTaTn~and ""demonstrate  a  positive  and 
supportive  attitude  toward  internal  controls  at 
all  times. 


Competent  Personnel.  Managers  aijd  employees 
aTe  ToTSve  plfsonal  and  professional  integrity 
and  are  to  maintain  a  level  of  competence  that 
allows  them  tc  accomplish  their  assign  duties, 
as  well  as  understand  the  importance  of  developing 
and  implementing  good  internal  controls. 


Control  Objectives.  Internal  control  objectives 
a re- to  be  identified  or  developed 
for  each  agency  activity  and  are  to  be  logical, 
applicable,  and  reasonably  complete. 


C  ntrol  Techniques.  Internal  control  technigues 
are  To”be  elfecTive  and  efficient  in  accomplishing 
their  internal  control  objectives. 


It  is  essential  to  provide  assurance  that  the  internal 
control  objectives  will  be  achieved.  These  critical  techni¬ 
gues  are  the  specific  standards  outlined  in  Table  711. 

[Bef.  44] 
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TABLE  VII 

GAO  Specific  Internal  Control  Standards 


1.  Documentation.  Internal  control  systems  and 
aH“  Era  ns  actions  and  other  significant  events  are 
to  be  clearly  documented,  and  the  documentation  is 
to  be  readily  available  for  examination. 

2.  Recording  of  transactions  and  Events.  Transactions 
and  other  significant  events  are  fo"be  promptly 
and  properly  classified. 

3.  Execution  of  Transactions  and  Events.  Transactions 
and  "  ether  slglliicanfe  venfs“are  to“be  authorized 
and  executed  only  by  persons  acting  within  the 
scope  of  their  authority. 

4.  Separation  o£  Duties.  Key  duties  and  responsi¬ 
bilities  in  auEEorlZing,  processing,  recording, 

and  reviewing  transactions  should  Be  separated  among 
individuals. 

5.  Supervision.  Cualified  and  continuous  supervision 
Is  toTe" provided  to  ensure  that  internal  control 
objectives  are  achieved. 

6.  Access  to  and  Accountability  for  Resources. 

Iccess  to  resources- and  records  is  to  Tie-limited  to 
authorized  individuals,  and  accountability  for  the 
custody  and  use  of  resources  is  to  be  assigned  and 
maintained.  Periodic  comparison  shall  be  made  of 
the  resources  with  the  recorded  accountability  to 
determine  whether  the  two  agree.  The  frequency  of 
the  comparison  shall  be  a  function  of  the  vulner¬ 
ability  of  the  asset. 


Auditors  are  responsible  for  following  up  on  audit  find¬ 
ings  and  recommendations  to  ascertain  that  resolution  has 
been  achieved.  Table  VIII  presents  the  Audit  Resol  ition 
Standard.  [Ref.  45] 
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TABLE  ¥111 

6&0  Audit  Resolution  Standard 

Prompt  Resolution  cf  Audit  Findings.  Managers  are 
to-lTT  prompTIy  e vSluafe~linJIngs  and  recommendation, 
reported  by  auditors,  [2)  determine  proper  actions  i 
response  to  audit  findings  and  recommendations,  and 
(3)  complete,  within  established  time  frames, 
all  actions  that  correct  or  otherwise  resolve  the 
matters  brought  to  management's  attention. 


C.  INTERNAL  CONTROLS  IN  THE  DATA  PROCESSING  ENVIRONMENT 

Internal  controls  in  the  data  processing  environment 
pertain  to  the  processing  and  recording  of  an  organization's 
transactions  and  to  resulting  management  reporting.  They 
are  the  procedures  that  ensure  the  accuracy  and  completeness 
of  manual  and  automated  transactions,  records,  and  reports, 
and  the  avoidance,  detection,  and  correction  of  errors. 
They  encompass  source  document  origination,  authorization, 
processing,  data  processing  record  keeping  and  reporting, 
and  the  use  of  data  processing  records  and  reports  in 
controlling  an  organization's  activities. 

The  "Data  Processing  Audit  Practices  Report,"  issued  by 
the  Institute  of  Internal  Auditors,  presents  an  overview  of 
the  elements  of  internal  control  in  the  typical  data 
processing  function.  These  elements  are  applicable  to  a 
NARDAC  in  addition  to  general  controls  needed  by  any  organi¬ 
zation.  These  elements  are:  [Ref.  46] 


Computer  application  systems,  which  encompass  manual 
procedures  to  originate  and  transmit  input  transactions 
to  the  data  processing  department;  computer  application 
programs  that  control  the  processing  of  transaction 
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data,  cecord  maintenance,  and  output  report  preparation; 
and  procedures  that  guide  computer  service  center 
personnel  in  the  use  of  specific  computer  application 
programs  and  the  handling  of  the  associated  input  data 
and  output  reports. 

Compute?  service  center  operations,  which  encompass  the 
facilities,  equipment,  personnel,  and  general  procedures 
that  gcvern  computer  center  operations,  as  opposed  to 
procedures  specific  to  individual  application  systems. 

Application  systems  development,  which  encompasses  the 

Sersonnel  and  general  procedures  governing  the  design, 
evelopment,  testing,  and  implementation  of  the  manual 
procedures  and  computer  application  programs  that  make 
up  computer  application  systems.  This  element  also 
includes  the  modification  and  improvement  of  existing 
computer  application  programs. 


The  three  data  processing  elements  are  planned,  orga¬ 
nized,  and  managed  to  achieve  various  management  information 
system  objectives.  They  are  also  interdependent.  For 
example,  systems  development  may  be  constrained  by  the 
availability  of  processing  capacity  or  specialized 
resources.  In  contrast,  processing  capacity  may  be 
increased  and  special  features  added  to  accommodate  new 
systems  development  requirements. 

A  similar  interdependency  exists  between  computer  appli¬ 
cation  systems  and  the  computer  service  center.  Poorly 
designed  application  programs  can  degrade  overall  center 
operations.  Intervention  required  by  center  personnel  tends 
to  be  error  prone  and  to  make  inefficient  use  of  expensive 
computer  resources.  Computer  service  center  operations  can 
have  a  significant  impact  upon  computer  application  systems. 
Poorly  or  inadequately  trained  staff  are  frequent  causes  of 
processing  problems  that  affect  application  systems  and 
their  users.  Inadequate  procedures  within  the  computer 
service  center  can  cause  or  allow  errors  to  pass  undetected 
in  the  preparation,  scheduling,  and  handling  of  input  trans¬ 
actions,  data  files,  and  output  reports.  Such  undetected 
errors  can  defeat  the  intent  of  controls  built  into  computer 
application  programs,  at  considerable  expense  in  terms  of 
development  time  and  money. 
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D.  THE  PERSONNEL  SIS  TEH 


When  the  Federal  staffing  process  requires  several 
months  to  routinely  fill  a  position,  the  process  is  a 
disservice  to  mission  accomplishment.  The  regulations  exist 
to  prevent  abuse  of  privileges,  but  the  result  is  often  less 
flexibility  for  the  responsible  manager. 

Before  action  can  be  taken  to  hire,  transfer,  promote, 
reassign  or  demote  a  civilian  at  a  NABDAC  (or  any  Federal 
government  job)  ,  a  formally  established  position  description 
(PD),  classified  in  accordance  with  laws  and  regulations, 
must  exist  for  the  job.  A  PD  provides  information  on  the 
principal  duties,  responsibilities  and  supervisory  relation- 
ships  of  a  position.  This  information  is  used  primarily  for 
classification  purposes,  but  has  other  functions  as  veil. 
PD* s  can  help  to  detect  duplication  of  work  or  overlapped 
duties;  analyze  training  needs;  and  help  to  determine  stan¬ 
dards  of  performance.  Beca use  PD*s  affect  so  many  personnel 
practices,  they  are  an  important  source  of  information  for 
the  operational  auditor. 

A  vital  part  of  the  Federal  staffing  process  is  evalua¬ 
tion  of  a  new  employee  during  the  probationary  period. 
Separation  of  an  inadequate  employee  is  more  difficult  after 
the  probationary  period,  and  the  employee  could  remain  on 
the  payroll  for  many  years  as  a  marginal  producer.  An 
employee  who  completes  a  probationary  period  can  never  be 
required  to  serve  another  such  period. 

E.  PBODOCTIVITY  COHSIDEHATIONS 

Before  a  manager  can  increase  productivity,  productivity 
has  to  be  defined.  Performance  objectives  are  tools  that 
are  applicable  only  in  settings  that  demand  accountability 
and  that  reward  performance.  One  major  difference  between  a 
NABDAC  and  a  similar  organization  in  private  industry  is  in 
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the  degree  by  which  either  would  benefit  from  an  operational 
audit.  Much  of  a  NIEDAC’s  productivity  problem  may  really 
be  a  problem  of  law. 

In  "Coping  with  the  Employee  Turned  Institution," 
Jeffrey  Davidson,  discusses  the  phenomenon  of  the  employee 
in  a  Federal  position  who  has  effectively  ceased  to  function 
in  the  position  to  which  hired  or  promoted.  Davidson  gives 
details  of  how  to  identify  such  an  employee  and  what  to  do 
about  one.  [Bef.  47] 


There  exists  in  .  .  .  large  organizations  at  least  cne 
employee  who  has  effectively  ceased  functioning  in  the 
role  or  position  for  which  .  .  .  originally  hired,  or 
to  which  .  .  .  promoted.  This  type  of  employee  turned 
institution  is  acclimated  to  all  the  ways  or  getting 
through  each  workday  contributing  an  appearance  of  being 
on  top  of  the  job. 

The  personnel,  management,  and  monitoring  systems  and 
procedures  within  federal  government  leave  much  to  be 
gesi^ed.  The  possibility  that  an  employee  can  become  an 
institution  within  any  organization  stems  from  a  variety 
or  reasons.  One  reason  is  that  the  employee  possesses 
specific  knowledge  or  skill  that  the  organization  cannot 
readily  acquire  frcm  other  sources.  The  employee  may 
have  developed  a  particular  expertise  that,  at  least 
periodically,  is  of  vital  importance  to  operations. 
Freguently,  an  employee  turns  "institution"  within  an 
organization  simply  because  he  or  she  is  allowed  to,  and 
no  cne  (not  even  the  supervisor)  is  cognizant  ol.  or 
willing  to  expose,  the  employee's  general  lack  of  dedi¬ 
cation  and  limited  effectiveness  on  the  job. 

Usually  when  an  employee  turns  institution  the  occur¬ 
rence  is  due,  in  part,  to  a  lack  of  awareness  on  the 
part  of  one  key  manager  or  supervisor.  TEaf  one  key 
person  having  knowledge  of  the  employee’s  true  wcrk 
habits  and  operating  procedures,  would  not  allow  such  a 
practice  to  exist.  The  employee  turned  institution 
promotes  mediocrity;  when  confronted  with  an  idea  that 
might  be  good  for  the  organization  but  would  involve 
real  work,  the  employee  will  often  respond  with  idea¬ 
killing  phrases  like  "We’ve  tried  that  before,"  or, 
"That  never  works." 


While  the  employee  may  make  no  significant  contribu¬ 
tions,  r$st  assured  that  he  or  she  will  be  well  informed 
of  organization  policies  and  procedures,  and  will  dc 
whatever  possible  to  stretch  th$  policies  for  personal 
advantage.  The  employee  turned  institution  can  flourish 
only  when  otherwise  good  managers  and  supervisors  refuse 
to  see  the  true  picture.  The  employee  must  be  stopped 


cold,  before  having  a  chance  to: 


1.  lower  productivity, 

2.  Demoralize  other  employees. 
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3.  Unfavorably  influence  other  employees, 

4.  Tarnish  the  organization's  image  to  outside  parties. 


This  pheromenan  of  the  employee  turned  institution 
occurs  frequently.  throughout  the  federal  government, 
since  it  is  difficult  to  remove  an  employee  from  a 
federal  position 


mploy< 


F.  1ABEAC  LEAD- ACTIVITY  APPROACH 

Because  ADP  technology  changes  so  rapidly  and  ADP 

resources  are  scarce,  individual  NARDACs  have  been  assigned 
the  lead  responsibility  in  specific  aspects  of  the  tech¬ 
nology.  For  example,  NABOAC  Norfolk  has  been  tasked  by 
NAVDAC  with  the  responsibility  of  providing  client  support 
for  the  acquisition  and  use  of  microcomputers.  In  response 
to  this  tasking,  it  has  developed  a  Technical  Reference 
Library  and  Software  Exchange  Center.  It  has  established  a 
microcomputer  user  group,  and  it  also  performs  ongoing 
hardware/software  evaluation  programs.  This  lead  activity 
has  also  prepared  reports  on  the  subject  of  Low-ccst 

Expandable  Microcomputer  Systems,  also  known  as  the  LEMS 
Project.  This  lead  assignment  approach  has  distinct  advan¬ 
tages  to  the  customer  activities  and  the  NARDACs.  It 
enables  all  NARDACs  tc  keep  abreast  of  the  state  of  the  art 
while  avoiding  costly  duplication  of  effort.  Moreover,  it 
fosters  standard  isple  mentation  of  enhancements  at  all 

NARDAC  sites. 

The  lead  assignment  of  each  NARDAC  would  require  special 
consideration  in  the  desigh  of  an  audit  program  fer  a 

particular  NARDAC. 

G.  CCNC IQS  IONS 

Every  manager  must  have  a  means  for  readily  identifying 
and  accurately  defining  emerging  problems  before  they  become 
institutionalized.  The  motive  for  operational  auditing  is 


that  it  is  an  efficient  source  of  information  about  the 
sophisticated  problems  facing  a  manager. 


The  manager's  task  is  far  more  difficult  and  challenging 
than  the  normal  tasks  of  the  mathematician,  the  physi¬ 
cist,  or  the  engineer.  In  management,  many  more  signif¬ 
icant  factors  must  be  taken  into  account.  The 
inter-relationships  of  the  factors  are  more  complex. 
The  systems  are  or  greater  scope.  The  non-linear  rela¬ 
tionships  that  control  the  course  of  events  are  mere 
significant.  £Bef.  48] 


As  more  authority  is  delegated  it  becomes  increasingly 
difficult  for  top  management  to  keep  informed  on  how  well 
its  programs  and  policies  are  being  carried  out. 
Operational  auditing  provides  informatio;  needed  by  top 
managers  who  can  not  be  personally  informed  about  all  areas 
for  which  they  are  responsible.  Without  a  means  for  objec¬ 
tively  measuring  performance,  managers  may  spend  toe  much 
time  doing  the  wrong  things — things  that  might  make  them 
look  good  on  the  surface  but  which  actually  are  not  good  for 
the  organization. 
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fill.  PEBFOBMING  THg  AODIT 


A.  PURPOSE  OF  THE  AODIT 


The  NABDACs  became  Navy  Industrial  Fund  (NIF)  activities 
at  the  beginning  of  fiscal  year  1984.  N IF  activities  are 
required  to  bill  customers,  using  a  stabilized  rate,  for  the 
ADP  services  rendered.  Commander,  Naval  Data  Automation 


Command  (CCHNAVDAC)  approves  the  number  and  kind  of  rates  to 


be  established.  These  rates  are  expected  to  remain  in 


effect  for  an  entire  fiscal  year.  Any  variance  between 
stabilized  rate  billings  and  actual  costs  become  profits  or 
losses  to  the  NIF  activity  and  are  absorbed  by  the  corpus. 
The  goal,  however,  is  total  cost  recovery,  generating 
neither  profit  nor  less.  Because  all  costs  are  passed  on  to 
the  customers,  efficient  and  economical  operations  are  a 
major  concern.  The  customers  should  not  be  required  to  pay 
for  inefficiencies.  Thus,  an  operational  audit  is  critical 
to  the  identification  of  areas  in  need  of  improvement. 

The  NABDACs  have  teen  studied  for  potential  contracting 
out  of  the  services  now  performed  by  government  civilian  and 
military  personnel.  Plans  are  being  made  for  an  internal 
reorganization  to  allow  for  governmment  management  and  moni¬ 
toring  of  the  operations  after  the  contract  has  been  let. 
Khen  contracting  for  services,  the  government  has  to  specify 
acceptable  standards  of  operations.  An  audit  would  help  to 
define  the  needed  criteria  and  provide  a  means  to  evaluate 
these  criteria  that  will  be  applicable  to  the  contractor. 

The  commanding  officer  of  the  NABDAC  would  be  the  rece- 
pient  of  the  audit  report  except  when  the  audit  has  been 
conducted  at  the  direction  or  request  of  CONN AVDAC.  In  that 


case,  the  report  would  be  made  to 


COMNAVDAC. 


Effective,  efficient,  and  economical  use  of  the  computer 
resources  at  a  NARDAC  requires  ongoing  coordination  among 
management,  computer  users,  and  auditors  to  bring  this 
powerful  tcol  into  proper  perspective  and  under  close 
control.  Vast  amounts  of  data  have  been  concentrated  in  a 
few  computer  centers.  This  condition  has  resulted  in  virtu¬ 
ally  total  dependence  upon  the  computer.  To  minimize  the 
potential  vulnerability  for  loss  associated  with  this  depen¬ 
dence  requires  a  greater  degree  of  audit  involvement  than 
previously  required.  Data  processing  equipment,  software 
and  personnel  are  expensive.  These  costs  and  the  potential 
for  loss,  destruction,  or  misuse  of  these  resources  must  all 
be  considered  when  reviewing  the  internal  controls  and 
security  required  fcr  the  Electronic  Data  Process  (EEP) 
facility. 

Onlike  auditing  in  the  traditional  sense,  operational 
audits  concentrate  on  the  utilization  of  resources,  also 
paying  considerable  attention  to  information  systems  and 
internal  organization  and  procedures.  There  is  seme 
overlap,  however,  of  financial  audits  and  operational 
audits.  Beth,  for  example,  review  the  systems  and  proce¬ 
dures  of  internal  control.  Operational  auditing  also 
provides  detailed  reviews  of  other  areas  such  as  space 
utilization,  purchasing  practices,  hiring  practices,  and 
management  decision  making.  Operational  auditing  provides  a 
means  to  determine  whether  employees  are  giving  their  best 
efforts  or  whether  costs  can  be  lowered. 

B.  POBPCSE  OF  THE  AOEIT  GUIDE 

The  purpose  of  this  guide  is  to  provide  uniform  instruc¬ 
tions  and  guidance  to  personnel  engaged  in  auditing  EDP 
facilities  at  a  NABEAC.  This  audit  guide  (program)  is  a 
result  of  the  increased  emphasis  being  place  on  management 
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of  ana  control  over  the  Navy's  EDP  facilities.  The  guile  is 
designed  to  include  organization,  facility  internal 
controls,  maintenance,  security,  resources  and  contingency 
planning,  and  user  billing/ chargeout  procedures.  Audits  at 
a  NARDAC  may  involve  cnly  the  NARDAC  or  include  reviews  at  a 
number  of  customer  activities.  The  extent  of  detailed  work 
to  be  accomplished  will  depend  on  the  quality  and  extent  of 
the  services  provided  to  customer  activities.  T&e  auditor 
will,  determine  the  order  and  extent  of  audit  coverage  neces¬ 
sary  the  particular  nabdac  being  audited.  The  audit 
steps  are  intended  to  lead  the  auditor  into  the  more  impor¬ 
tant  aspects  of  the  NARDAC  management  but  are  not  intended 
to  be  restrictive  or  to  serve  as  a  substitute  for  initia¬ 
tive,  imagination,  and  judgment. 

The  objectives  of  EDP  facility  audits  are  to: 


appraise  the  adequacy,  efficiency,  and  reliability 
of  the  EDP  facility,  including  training  programs, 
security,  and  processing  controls; 

determine  the  extent  and  adequacy  of  application 
system  procedural  controls;  and 

5valuate  procedures,  standards,  and  controls  over 
ocal  program  development. 


The  audit  guide  provides  a  standardized  audit  approach. 
It  is,  however,  only  to  aid  the  auditor  during  the  audit 
process — net  to  direct  every  step.  The  auditor  must  still 
rely  on  experience,  intuition,  and  preliminary  results  of 
the  audit  in  determining  the  full  scope  of  the  audit.  The 
objective  of  this  guide  is  to  organize  the  audit  approach, 
reduce  preparation  time,  and  ensure  a  level  of  completeness 
on  the  audit.  This  guide  is  primarily  a  result  of  adapting 
audit  programs  issued  by  the  Naval  Audit  Service.  (The 
Naval  Audit  Service  designs  audit  programs  that  provide 
comprehensive  guidance  for  auditing  selected  functions.) 
ether  guides  can  be  obtained  in  the  following  ways: 
[Bef.  49] 


1. 


From  associations  such  as:  American  Institute  of 

Certified  Public  Accountants,  The  Institute  of 
Internal  Auditors,  Bank  Administration  Institute, 
Canadian  Institute  of  Chartered  Accountants. 


2. 

3. 

4. 


From  major  certified  public  accounting  firms  and 
chartered  accounting  firms. 


From  organizations  supplying  manuals  and  an  updating 
service  such  as:  Auerbach,  Datapro,  FA Id. 


From  publications  such  as  Security,  Accuracy,  and 
computer  Systems  cy  IJAheS  Hariri'S 
,  TT7IJ  AFlP3~?ysteas  Review  Manual  on 

f.  - J“IT““(TT7irr  “Collate! 

Centre,  (Manchester, “IT 
Data  Processing. 
essment.  “National 


Audit  guides  obtained  from  the  above  sources  can  be 
modified  to  meet  the  specific  needs  of  the  organization.  It 
is  recommended  that  two  or  more  audit  guides  for  one  area  be 
obtained.  At  that  time  .  .  .  auditing  personnel  can 
combine  the  guestions  and  approaches  on  the  audit  guides 
with  their  own  knowledge  of  the  organization  in  that  area. 
This  would  result  in  an  audit  guide  meeting  the  specific 
needs  of  the  organization.  A  data  processing  background  is 
necessary  to  effectively  use  this  auditing  guide.  Without 
this  background,  the  auditor  will  not  comprehend  the  impor¬ 
tance  of  or  meaning  behind  some  of  the  items  in  the  guide. 


C.  GE1EBAL  INSTRUCTIONS 

In  performing  an  audit,  the  auditor  should  proceed  as 
follows: 


1.  Establish  the  purpose  and  scope  of  the  audit. 

2.  Make  necessary  mpdif ications  to  the  audit  program 
based  on  the  particular  audit  objectives. 

3.  Perform  an  initial  survey,  interviewing  NARDAC 
management  to  obtain  background  information;  to 
gather  documents  describing  the  NARDAC  organization, 
their  equipment  and  applicable  Department  of 
Defense,  Secretary  of  the  Navy,  Chief  of  Naval 
Operations,  and  Commander,  Naval  Data  Automation 
Comand  Instructions  detailing  standards;  and  to  gain 
an  understanding  of  the  NARDAC  policies  and  stan¬ 
dards. 

4.  Conduct  a  review  of  management  controls.  Interview 
and  gather  data  from  NaRDAC  customers  and  NARCAC 
employees. 

5.  Perform  a  detailed  examination  of  operations. 
Analyze  the  data,  making  additional  examinations  and 
evaluations  as  required. 
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6.  Write  a  final  report  indicating  the  conclusions 
drawn  from  the  audit  and  supporting  each  conclusion 
by  the  finding  upon  which  it  is  based.  Make  recom¬ 
mendations  for  solving  the  problems  found. 

This  audit  guide  is  organized  into  three  chapters.  Each 
chapter  gives  detailed  steps  applicable  to  three  areas  of 
EDP  facility  operations  as  follows:  [Ref.  50] 

1 .  Computer  center  controls 

a.  organization  and  management; 

b.  input/ output  procedures; 

c.  media  library; 

d.  operations; 

e.  environment  and  security; 

f.  resource  and  contingency  planning; 

g.  time  accounting  and  billing; 

2.  Application  system  procedural  controls 

a.  transaction  origination; 

b.  transaction  entry; 

c.  data  communications; 

d.  computer  processing; 

e.  data  storage  and  retrieval; 

f .  output  processing ; 

3.  local  programming  development;  controls 

a.  requirements  approval; 

b.  programming  management; 

c.  acceptance  testing; 

d.  documentation  and  interface; 

e.  data  base  administration. 

The  auditor  may  add  to  this  program,  or  omit  certain  steps 
from  the  program  to  attain  the  audit  objectives.  Assistance 
of  computer  specialists  may  be  required  in  application  of 
this  guide. 

Internal  controls  are  essential  to  the  prevention  of 
fraud  or  illegal  practices.  Those  audit  steps  annotated  by 


XX.  AODITING  1BE  COMPOTES  CENTER 


A.  OBGAIIZ ATIOB  AND  MANAGEMENT 

The  organization  c£  the  computer  center  is  basic;  the 
structure  of  the  organization  and  the  quality  of  personnel 
affect  management's  ability  to  implement  internal  controls. 

The  preliminary  survey  provides  the  first  set  cf  infor¬ 
mation  about  the  NAEIAC,  information  needed  to  direct  and 
execute  an  audit  efficiently.  Through  a  set  of  interviews 
with  Department  Heads  and  Division  Heads,  the  auditors 
should  obtain  background  information  on  the  development  of 
the  NARCAC,  its  organizational  ties,  its  purpose,  the  types 
of  services  it  provides,  the  resources  available  to  it,  how 
they  are  applied,  who  its  customers  are,  and  the  bases  for 
its  service  charges. 

As  much  documentation  as  possible  should  be  obtained 
since  documentation  on  policies,  procedures,  plans  and 
management  reports  can  indicate  the  efficiency  of  NASD  AC 
management. 

The  background  information  obtained  through  the  inter¬ 
views  and  the  availability  of  documentation — or  lack  of 
documentation — will  allow  the  auditors  to  prepare  an  audit 
plan  that  properly  addresses  itself  to  the  areas  that  seem 
to  need  special  attention.  Obtain  an  overview  of  the 
historical  development  of  the  NAEDAC. 

The  "Navy  &DP  Reorganization  Study  Implementation  Plan 
Report"  provides  a  detailed  overview  of  the  historical 
perspective  of  NARDACs.  Obtain  documentation  of  the  organi¬ 
zation  charts,  policy  statements,  job  descriptions, 
personnel  listings  and  descriptions  of  services.  The  NARIAC 
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Organization  Manual  is  an  excellent  source  for  some  of  the 
necessary  information.  Indications  of  the  established  dele¬ 
gation  of  responsibilities  should  be  obtained,  as  well  as  of 
the  separation  of  authority,  how  these  are  defined,  and  the 
controls  in  force  to  assure  proper  adherence. 

Lists  of  assets  reflecting  the  entire  complement  of 
facilities  and  hardware,  as  well  as  software,  should  be 
obtained,  together  with  supporting  layout  plans. 
Supplemental  documents  for  the  various  functional  areas 
(e.g.,  standards  manuals,  operator  manuals,  user  manuals, 
equipment  lists  and  layouts,  facilities  plans,  user  lists) 
should  also  be  gathered. 

Analysis  of  management's  use  of  performance  reporting 
systems  will  indicate  potential  problems.  Documentation  of 
planning  done  for  the  ABDAC,  operational  as  well  as  finan¬ 
cial,  for  the  short  term  and  long  term,  should  also  be 
requested. 

For  an  overview  of  the  administration  of  the  NABDAC,  the 
organization  manual,  procedures  or  directives  pertaining  to 
internal  as  well  as  external  functions  should  be  reviewed. 
Personnel  management  will  be  reflected  in  the  available 
recruiting  and  hiring  policies,  functional  descriptions, 
personnel  development  plans  and  training  programs,  and 
career  path  and  promotion  plans. 


1.  Identify  the  mission  and  operations  of  the  facility 
to  determine  the  major  areas  of  EDP  responsibilities 
of  the  activity,  including  scope  of  operations  and 
liiitations  on  responsibility  anal  authority. 

2.  Determine  if  tfce  facility  organization  promotes 
mission  accomplishment  and  provides  separation  of 
responsibilities. 

3.  Examine  the  latest  reports  of  internal  review, 
inspections,  and  audits,  and  evaluate  action  taken 
to  correct  deficiencies. 


4. 
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a.  Ensure  that  all  assets  nave  been  identified. 

b.  Evaluate  the  reasonableness  of  the  identified 
potential  for  loss. 

c.  Ensure  that  a  positive  balance  of  facility 
controls  has  been  established  which  equates  the 
incremental  cost  of  including  such  controls  with 
the  risk  of  loss  due  to  their  omission. 

"fl"  Determine  that  the  EEP  facility  has  established  a 
formal  system  of  administrative  controls  which  estab¬ 
lish  tasks,  functions,  and  policies  covering  the 
following  areas: 

a.  preinstallation  controls  which  cover  feasibility 
studies  and  preinstalla tion  planning. 

b.  organization  controls  which  cover  the  division  of 
duties  both  outside  and  within  the  EDP  divisions, 
the  functions  of  the  data  control  group,  tape 
library,  etc. 

c.  development  controls  which  cover  the  planning  of 
new  applications,  the  establishment  of  standard 
procedures  for  system  design  and  programming, 
authorizations  and  approvals,  testing,  controls, 
over  initial  conversion,  and  control  over  subse¬ 
quent  changes. 

d.  procedures  established  for  control  over  change 
to  central  design  agency  (CDA)  supplied  programs. 

e.  operations  controls  which  cover  standard  opera¬ 
ting  instructions,  file  handling,  and  protection 
against  accidental  destruction. 

f.  processing  controls  which  cover  hardware  controls, 
input  and  output  controls,  programmed  controls, 
and  provide  audit  trails. 

g.  documentation  controls  which  cover  problem  defi¬ 
nition,  documentation  standards,  systems  and 
program  documentation,  operators's  manuals,  etc. 

h.  outside  data  center  cpntrols  which  cover  the 
commitment  and  selection  of  data  center  services, 
organiza ticnal  requirements  for  data  center  opera¬ 
tions,  I/O  controls  and  audit  trails,  and  security 
for  customer  data  records. 

"M"  Review  the  EDP  facility  security  plans,  policies, 
and  procedures.  (CPNAVINST  5239; 1,  NAVCCHPINST 
7000.36;  and  FIPS  PUB  31} 


a. 


t. 


Ensure  that  an  EDP  security  officer  has  been 
assigned.  This  position  should  be  organization¬ 
ally  separate  from  the  EDP  operations  and  have 
specific  responsibilities  and  authority  for  imple¬ 
mentation  and  maintenance  of  facility  security. 


Review  established  security  policies  and 
cedures.  Specific  responsibilities 
identified  for  all  facility  personnel 
EDP  security  and  periodic  security 
provided. 


c.  Evaluate  results  of  periodic  security  reviews 

and  determine  that  appropriate  actions  have  been 
taken  to  prevent  reoccurance  of  security  viola¬ 
tions. 

d.  At  activities  with  remote  terminal  operations, 

determine  that  passwords  and  terminal  access 
ccntrol  responsibilities  are  centralized  with  £D P 
security  officer.  Ensure  that  procedures  are 

established  which  require  periodic  changes  of 
passwords  and  mandatory  changes  upon  personnel 
separations. 

e.  Ensure  that  at  facilities  responsible  for  pro¬ 
cessing  classified  data  ED?  personnel  have 
security  clearances  equivalent  to  the  classifica¬ 
tion  of  data  being  processed. 

f.  Ensure  that  a  formal  access  list  indicating  the 
specific  conditions  under  which  access  to  the 
various  ED?  areas  will  be  authorized.  This  should 
include  United  access  to  the  computer  and  library 
areas  to  only  personnel  with  assigned  responsibil¬ 
ities  in  these  areas. 

g.  Review  accountability  of  control  procedures 

and  devices  used  at  the  facility.  Ensure  that 
badges,  card  keys,  cypher  books,  safe  combina¬ 
tions,  or  similar  devices  in  use  are  controlled 
and  periodically  changed  and  that  these  actions 
are  recorded. 

7.  Ensure  that  user/customer  liaison  procedures  have  been 

established  tc  provide  for  not  only  resolution  of 
input/output  problems  but  to  support  periodic  reports 
and  managemert  reviews.  (SECNAVINST  5214.2; 

SECNAVINST  521 C. 8a) 

8.  "M"  Verify  that  EDP  support  provided  to  private 
parties  or  ccnractors  has  been  properly  approved. 
(Navy  Regulations.  Article  0749;  and  NAVCOMPT  Manual, 
par  075500-1)  and  that  appropriate  billing  rates  are 
established.  (NAVCOMPT  Manual,  par.  0355881) 


B.  I HP  U I/O  OTP  0T  CONTROL  AND  SCHEDULING 

Effective  quality  assurance/prod  action  control  ensures 
the  timeliness,  accuracy,  and  overall  integrity  of  wcrk 
submitted  tc  and  emanating  frcm  the  computer  center.  This 
includes  scheduling  cf  work  and  quality  control  of  source 
data  and  outbound  reports  to  ensure  accuracy  and  complete¬ 
ness  of  data  received  and  distributed.  '  (NAVCCMPTINST 
7000.36) 


WMM  Review  facility  procedures  for  acceptance  and 

scheduling  of  input  data: 

a.  Examine  logs,  records,  and  schedules  of  antici¬ 
pated  inputs. 

b.  All  input  data  should  be  scheduled. 

c.  Follpw  up  should  be  provided  on  late  data 
receipt. 

d.  Records  should  be  maintained  indicating  the 

date  source  documents  are  due  in,  date  received, 
persons  authorized  to  submit,  and  persons  actually 
submitting . 

e.  Are  negative  responses  required  when  anticipated 
data  is  not  to  be  submitted?  How  is  unscheduled 
data  received? 

f.  Do  receipt  procedures  require  preliminary  veri¬ 
fication  to  ensure  that  all  illegible,  incomplete, 
or  otherwise 

unacceptable  source  documents  are  returned  tc  the 
originator  prior  tc  further  processing  of  the 
document?  unused  portions  of  input  coding  sheets 
should  be  voided  by  the  originator  to  preclude 
unauthorized  additions. 

Review  facility  procedures  for  transcription  and 
control  of  input  data.  Analyze  the  following: 

a.  Input  job  control  procedures  should  be  documented 
for  each  job  and  detailed  procedures  established 
to  prevent  loss,  misuse,  or  improper  handling. 
To  ensure  complete  and  accurate  receipt  and 
transfer  cf  all  input  documents,  one  or  more  of 
the  following  cheats  should  be  used  for  each  job: 


(1)  Document  register; 

(2)  Batch  control  tickets; 

(3)  Transmittal  slip; 

(4)  Beginning  and  ending  document  numbers: 

(5)  Money  amount  totals; 

(6)  Hash  totals. 


b.  Source  data  automation  procedures  should  use  key 
entry  system  production  features  to  the  maximum 
extent  possible  for  data  verification.  Rekeying 
verification  should  only  be  used  when  key  entry 
system  production  features  do  not  provide  suffi¬ 
cient  assurance  of  data  accuracy. 

.  Ensure  that  key  entry  operating  procedures  pro¬ 
hibit  key  entry  personnel  from  altering  data  on 
source  documents  and  restrict  access  to  scurce 
data  automation  programs. 


c 


d.  Ensure  that  the  computer  programmers,  system 
analysts.  and  computer  operators  do  net  have 
access  to  source  documents.  Programming  jobs 
which  require  fast  turnaround  time  should  be 
submitted  through  normal  input  procedures  with 
priority  handling. 

e.  Analyze  data. e$t ry . production  statistics  for 
effective  utilization  of  personnel  and  equipment 
capabilities.  Ensure  that  source  data  automation 
back-up  support  plans  are  documented  and  filed 
both  onsite  and  offsite. 

f.  Ensure  that  the  input  preparation  phase  is 
completed  in  accordance  with  clearly  specified 
processing  schedules.  Investigate  excessive  late 
deliveries  of  input  data  for  processing. 

11.  MHW  Review  facility  procedures  for  processing  output 

tc  users.  Perform  an  analysis  of  the  following: 

a.  Ensure  that  there  is  adequate  control  of  rejected 
original  documents  to  ensure  timely  distribution 
to  the  authorized 

originator  for  investigation,  correction,  and 
reinput  or  cancellation. 

b.  Ensure  that  authorization  listings  are  maintained 
for  individuals  designated  to  receive  output  and 
that  these  provisions  are  enforced. 

d.  Ensure  that  the  data  and  condition  of  issuance 

of  input  data  or  other  AD?  source  data  distrib¬ 
uted  for  use  at  other  ED?  facilities  is  docu¬ 
mented  and  that  authorization  is  verified  before 
distribution. 

e.  Ensure  that  procedures  are  established  to 
indicate  location  and  specific  retention  and 
disposition  of  original  source  documents. 


C.  BEDIA  LIBHABI  CONTROLS 

Data  processing  management  must  ensure  the  continued 
availability  of  data  stored  on  various  data  processing  media 
(primarily  magnetic  tapes  and  disks).  In  addition,  some  of 
this  data  may  be  especially  sensitive  or  confidential, 
requiring  special  custody  methods.  ( NAVCOMPINST  7000.36  and 
FIPS  FOB  31) 
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"H”  Beview  access  controls  to  the  media  library  and 
the  procedures  for  issuance  of  media. 


a 


Ensure  that  there  is  a  physical  separation  cf 
the  media  library  from  the  computer  room  and  that 
adequate  space  is  provided  for  storage  of  tapes, 
disks,  etc.  This  area  should  be  secured  when  not 
staffed. 


h.  Ensure  that  access  to  the  media  library  is 

limited  to  specifically  authorized  personnel  and 
is  consistent  with  the  separation  of  duties 
between  input/output,  computer  operation,  and 
media  library  personnel. 

c.  Identify  personnel  designated  as  librarians 

and  ensure  that  their  duties  are  separate  and 
distinct  from  other  EDP  functions.  Assess  the 
work  schedule  of  the  librarians  to  ensure  that 
staffing  is  sufficient  to  maintain  controls  over 
the  issuance  of  media. 

"K"  fieview  media  library  inventory  procedures. 

a.  Ensure  £ha{  the  schedules,  logs,  etc.  .  are  main¬ 
tained  indicating  when  media  is  issued  and  is  due 
for  return.  Evaluate  procedures  for  protection 
of  intransit  media.  The  catalogs  or  index  list¬ 
ings  should  show  the  current  physical  location  of 
all  media  storage  units.  Compare  this  record 
with  job  accounting  records  to  check  for  consis¬ 
tency.  Evaluate  procedures  for  follow  up  on 
overdue  media  storage  units. 

b.  Ensure  that  instructions  indicating  how  and 
under  what  circumstances  tapes  or  disks 
(including  blanks)  can  be  checked  in  or  cut  of 
the  library.  This  should  include  listing  of 
authorized  personnel  and  security  clearances. 
Ensure  that  borrowed  media  from  other  locations 
are  documented:  (1)  Name  of  requester.  (2)  Date 
received.  (3)  Due  date  to  return.  (4)  Lending 
location. 

c.  Ensure  that  a  complete  inventory  listing  is 

maintained  for  each  storage  location  that 

accounts  for  all  media  storage  units  from  receipt 
of  blanks  to  disposal  of  used  units.  The  inven¬ 
tory  list  should  include  as  a  minimum:  (1) 

Library  lccation.  (2)  Reel  or  serial  number. 

(3)  Job  or  project  number.  (4)  Description  of 
data.  (5)  Date  created.  (6) 

Retention-expiration  of  retention  period.  (7) 

Cwner.  (8)  Issued  to  and  date.  (9)  Returned 
date. 

d.  Ensure  that  periodic  physical  inventories 

are  performed  ana  that  differences  are  reconciled 
and  missing  media  located.  Ensure  that  on  hand 
media  stocks  are  adequate  for  continuous  opera¬ 
tion. 

e.  Assess  phe  adequacy  of  the  physical  storage 
facilities  in  the  main  media  library  and  in 
back-up  libraries. 

Review  media  storage  maintenance  procurement  and 

disposal  procedures. 


a.  Evaluate  the  facility's  media  unit  test,  clean¬ 
ing,  reconditioning,  and  degaussing  procedures. 
Determine  the  adequacy  of  procedures  established 
for  monitoring  and  accounting  for  media  storage 
usage. 

b.  Ensure  that  media  storage  cleaning,  recon¬ 
ditioning,  and  degaussing  machines  are  physically 
separated  from  the  library  area. 

c.  Unless  nonstandard  media  storage  units  are 
justified  by  the  facility,  ensupe  that  only  stan¬ 
dard  stock  media  storage  units  are  procured 
through  standard  supply  schedules. 

d.  Evaluate  procedures  for  disposal  of  used 

media  storage  units.  Storage  units  which 
contained  classified  or  sensitive  data  should  be 
erased  before  disposal. 

e.  Trace  the  backup  and  retention  systems  for  the 
media  and  ensure  that  procedures  and  the  compli¬ 
ance  thereto  are  adeguate  to  support  EDP 
processing  backup. 


D.  OPERATION  AND  MA1EUNCTI ON/ PREVENTIVE  HAIMTEH ANCE 


Effective  and  efficient  processing  is  facilitated  by 
formally  defined  procedures  for  operating  personnel.  This 
includes  not  only  production  procedures  but  also  procedures 
for  reporting  of  hardware  and  systems  software  malfunctions. 


15.  Review  computer  room  procedures. 

a.  Ensure  that  shift  schedules  provide  for 

personnel  rotation  and  that  all  operators  are 

?iven  experience  in  processing  various  applica- 
ions.  No  one  operator  should  always  be  respon¬ 
sible  for  a  particular  application. 

b.  Ensure  that  the  duties  of  computer  operators, 

programmers,  or  system  analysts  do  not  include 
initiation  cf  transactions  into  the  system  and/or 
changes  in  the  master  files.  Operators  also 
should  not  be  allowed  to  utilize  the  console  to 
handle  error  routines  without  prior  approval  of 
persons  outside  the  operations  unit. 

c.  Programmers,  analysts,  and  system  managers 

should  be  denied  uncontrolled  access  to  the 
computer  room  unless  such  access  is  clearly 
prescribed  and  consistent  with  formally  assigned 
duties  and  responsibilities. 

d.  Determine  that  there  are  formal  system  operating 
procedures  for  each  scheduled  application  and 


16.  Evaluate  malfunction  and  maintenance  records 


a.  Review  malfunction  and  maintenance  records  to 
detect  patterns  of  poor  performance  and  ether 
exceptional  characteristics. 

b.  Review  computer  system  performance  records 

and  schedules  to  assess  the  impact  of  maintenance 
and  reliability  on  the  productivity  of  the 
installation. 


c. 


d. 


Review  accounting  system 
statistics  to  determine  a 
trends  in  the  length  of 
specific  applications, 
review  maintenance  and  o 
statistics  to  determine  w 
is  declining  rather  than 


production  run  time 
ny  positive  or  negative 
time  required  to  process 
If  times  are  increasing, 

Eerating  procedures  and 
y  production  efficiency 
improving. 


Interview  management,  vendor,  and  service 
personnel  concerning  their  function  and  their 
interactions. 


e.  Trace  the  process  of  detecting,  correcting, 

accounting,  and  reporting  hardware  and  software 
failures.  (SECNAVINST  5233.1a)  Critical  points 
are  logging,  setting  priorities,  assigning  for 
resolution,  exception  reporting  for  long-lasting 
troubles,  assessing  the  performance  of  the 
vendor,  and  comparing  this  instance  with  prior 
instances. 


17.  Obtain  a  lifting  of  remote  terminals,  evaluate  the 
justification  for  the  installations  and  the  capabili¬ 
ties  available  at  each  terminal  relative  to  file 
updating  and  transaction  input. 


E.  E1VIR0HHEITAL  COBTHOLS  AND  PHYSICAL  SECURITY 

Data  processing  facilities  are  a  substantial  asset  and 
must  be  managed  to  minimize  the  possibility  of  loss  of  capa¬ 
bility.  This  includes  physical  protection  against  natural 
hazards  and  tne  control  of  individuals'  use  of  facilities. 
(CPNAVINST  5239.  1,  NA7C0NPTIMST  7000.36) 


13.  "M"  Obtain  and  analyze  the  floor  plan  of  the 

facility. 

a.  Evaluate  the  adequacy  of  the  locking  devices 
between  facility  areas  and  at  entrances  and  exits 
(including  windows). 

b.  Evaluate  the  construction  and  materials  used  in 
the  facility  with  regard  to  their  fire-resistant 
qualities.  Ensure  that  storage  areas  for 
combustible  items,  such  as  stocks  of  paper. 


tapes,  etc.,  are  physically  separate  from  the 
computer  room.  Computer  room  stocks  of  combust¬ 
ible  materials  should  be  Halted  to  working  stock 
and  stored  near  fire  extinguishers. 

c.  Review  all  fire  alarm  systems  and  determine 

how  and  where  the  systems  may  be  activated. 
Determine  if  the  fire  alarm  sounds  locally  at  the 
guard  stations,  or  at  the  police  and  fire  depart¬ 
ments.  Ensure  that  heat  and  smoke  detectors  are 
installed. 

d.  Determine  if  there  is  a  water  detection  system. 
Review  the  drainage  system  of  the  building;  and, 
if  necessary,  determine  that  an  adequate  pumping 
system  is  installed  or  available  from  tne  rire 
department. 

e.  Ensure  that  the  condition  of  the  facilities* 
ceiling  or  roof  provides  adequate  protection  from 
leaks.  Examine  the  overhead  area  for  the  pres¬ 
ence  of  any  pipes  that  may  result  in  water 
damage. 

19.  Examine  the  power  supply,  assessing  the  appropriate¬ 
ness  of  back-up  equipment  to  the  needs  of  the 
facility. 

a.  Check  records  of  the  reliability  of  the  local 
power  supply  and  the  impact  ox  failures  on  the 
operation  of  the  facility.  Examine  the  records 
cx  recording  instrumentation  measuring  line 
voltage. 

b.  Determine  if  there  is  a  standby  power  source 

to  support  computer  operations,  emergency 
lighting,  and  electrically-operated  access 
controls.  Ensure  that  the  standby  power  system 
is  adequately  maintained  and  periodically  tested. 

20.  Examine  provisions  for  air  conditioning  for  the 
computer  room,  input  area,  and  media  library. 

a.  Ensure  that. the  air-conditioning  equipment  is 
secure  and  is  dedicated  to  the  production  areas. 
Ensure  that  proper  temperature  and  humidity  is 
maintained. 

b.  Determine  that  air  conditioning  and  heating 
systems  are  serviced  on  a  regular  schedule. 
Ensure  that  backup  air  conditioning  provisions 
are  adequate. 

c.  Assess  the  degree  of  protection  provided  for 

air  intakes,  cooling  towers,  smoke  removal,  and 
exhaust  systems. 

21.  Obtain  a  listing  of  remote  terminals,  and  evaluate 
the  security  procedures  for  permanent  and  portable 
installations. 

a.  Inspect  the  terminals  to  determine  if  they  are 
located  in  appropriately  controlled  areas. 
Examine  practices . from  the  standpoint  of  the  use 
of  keyboard  locking  devices,  operator  IDs  and 
passwords,  overprinting  of  passwords,  and  related 
features. 

b.  Examine  the  access  of  terminal  users  to 
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assembly-level  languages  and  assess  the 
protection  mechanisms  tnat  are  available. 

c.  Determine  if  the  use  of  terminals  associated 

with  classified  data  bases  and  programs  is 
adequately  monitored  and  supported  by  data 
protection  technigues. 

22.  "HM  Evaluate  the  facility  physical  access  controls. 

a.  Cbtain  list  of  personnel  who  have  authorized 
access  to  various  areas  in  the  facility  and 
assess  the  necessity  of  such  access.  Compare 
this  list  with  the  issue  control  list  of  card 
keys,  combinations,  etc.  that  have  been  issued. 

b.  Ensure  that  procedures  for  issuance  of  keys, 
combinations,  etc.  are  adequate. 

c.  Determine  if  badges  are  used  for  personnel 
or  visitors. 

d.  Ensure  access  controls  outside  of  day-shift  hours 

require  reporting  to  notify  management  of 

personnel  who  access  the  facility.  Determine  if 
personnel  challenge  strangers. 

23.  Review  emergency  procedures. 

a.  Observe  that  emergency  telephone  nembers  are 
posted  conspicuously. 

b.  Ensure  that  emergency  power  off  switches  are 
marked  and  placed  at  all  emergency  exits  and  are 
protected  from  accidental  activation. 

c.  Review  fire  drill  and  shut  down  procedures  for 

adequacy  and  completeness.  Determine  if 

employees  know  the  location  of  the  sprinkler 
shut-off  valve. 

d.  Ensure  that  portable  fire  extinguishers  are 
suitably  located  throughout  the  computer  area  and 
that  perscnnel  are  trained  in  their  use.  Obtain 
documentation  to  verify  that  fire  detection 
equipment  is  tested  on  a  regular  basis.  Ensure 
that  smoking  is  prohibited  m  the  computer  area 
and  the  media  library. 

e.  Ensure  that  exits  are  adequate,  well-marked  and 
kept  free  cf  obstructions. 

24.  determine  if  baqk-up  facilities  are  tested  at  regular 

intervals,  and  if  the  procedures  for  the  test  ana  the 

changeover  are  readily  available  to  personnel. 


F.  RESOURCE  AMD  CONTINGENCY  PLANNING 


Management  Of  the  computer  center  has  a  continuing 
responsibility  to  ensure  that  efficient  and  economical 


services  are  provided  on  a  continuing  basis.  Management 
oust  be  able  to  predict  changes  in  workloads  and  the  effect 
of  those  changes  cn  resource  requirements.  A  primary 
responsibility  is  to  maintain  suitable  contingency  control 
plans  covering  disaster  conditions,  either  natural  or 
man-made. 


25.  Review  activity  budgeting  responsibilities  and 
determine  the  adequacy  of  fund  administration  for 
budget  execution. 

26.  Review  controls  and  procedures  for  acquiring, 
reporting  and  monitoring  the  utilization  of  EDt 
equipment. 

a.  Appraise  the  procedures  for  determining  and 
evaluating  idle  and  excess  property.  Examine  the 
most  recent  Reconciliation  of  Plant  Account  for 
accuracy  of  reporting.  (SECNAVINST  5237.  1A) 

b.  Appraise  the  reporting  and  processing  of  excess 
EBP  equipment  for  reutilization  or  disposal 
actions.  (SECNAVINST  5237.1) 

c.  Appraise  management  procedures  to  report  ED P 
equipment  utilization,  (SECNAVINST  5238.  1A) 

d.  Appraise  management  procedures  to  maintain 
optimum  utilization,  including  the  following: 

(1)  Determine  who  is  responsible  for  performance 
measurement  within  the  data  processing  orga¬ 
nization. 

(2)  pet  ermine  what  methods  or  techniques  the 
installation  uses  for  evaluating  the  effi¬ 
ciency  of  computer  operations  (Hardware  and 
software) . 

(3)  Review  the  installation's  program  for 
evaluating  computer  systems  performance. 

(4)  Evaluate  results  obtained  from  performance 
evaluation. 

(5)  Review  available  performance  measurement 
statistics  such  as  hardware  or  software 
monitor  putput,  and  system  management 
facility  information.  Do  statistics  show 
under-utilization  of  any  hardware?  Of 
particular  concern  are  the  central  processing 
unit  (CPU),  tape  drives,  printers,  disk 
drives,  ana  channels. 

27.  Review  facility  contingency  plans: 

a.  Obtain  and  review  risk  analysis  performed  tc 

identify  potential  threats  to  the  facility. 
Ensure  that  contingency  plans  developed  from  this 
risk  analysis  are  consistent  with  the  identified 
threats  and  equate  cost  of  implementing  the 
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28. 


contingency  Plans 
(0PNA7INS1  52§9.  1) 


Ians  to  the  potential  for  loss. 


b.  Review  contingency  plans  to  ensure  that 
procedures  are  estabished  to  guide  facility 
activities  during  natural  disasters  as  well  as 
civil  disturbances.  Contingency  plans  should 
cover  both  (1)  loss  or  destruction  of  data  and 
program  files  and  (2)  theft  of  information  and 
delays  in  computer  processing. 

c.  Ensure  that  security  and  operations  personnel  are 

feriodically  briefed  on  their  responsibilities 
or  implementing  disaster  contingency  plans. 

Review  facility  backup  support  agreements: 

a.  Ensure  that  backup  support  agreements  provide 

for  not  only  processing  of  critical  applications 
tut  also  for  input  data  transcr iption  services. 

b.  Ensure  that  support  sites  have  the  capacity  or 

can  arrange  to  accommodate  the  added  backup 
support  by  discontinuing  their  nonessential 
processing. 


c.  Ensure  that  detailed  operating  procedures, 
instructions,  etc.  are  stored  with  back  up  media 
at  a  remote  site  from  the  facility  which  can  be 
transferred  to  the  backup  facility  if  necessary 
to  resume  EDP  processing. 

d.  Ensure  that  the  backup  processing  plan  has  been 
tested  and  problems  identified  resolved. 


G.  TIME  ACCOUNT  IN G  AND  BILLING  PROCEDURES 

Management  has  a  responsibility  to  ensure  that  operating 
costs  of  the  computer  center  are  eguitably  distributed  among 
reimbursable  users.  Eguitable  distribution  of  cost  requires 
that  an  adequate  accounting  system  provide  maintenance  of 
records  and  documentation  for  botn  financial  and  nonfinan- 
cial  data.  Documentation  cf  recorded  CPU  time  and  storage 
cost  plus  material  and  labor  usage  must  afford  an  adequate 
basis  for  billing  and  provide  a  logical  audit  trail. 


29.  Review  EDP  acccunting  procedures. 

a.  Ensure  that  billing  algorithms,  statements,  and 
rerun  cost  allocation  procedures  provide  for 
identification  of  responsible  customer. 

b.  Ensure  unique  supplies  and  other  quantifiable 
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c. 


£ 


P 


30. 


direct  cost,  such  as  commercial  data 

transcription  services,  are  identified  and 
supported . 


For  nongovernment  users,  private  parties,  ensure 
that  the  greater  of  either  the  activity  computed 
cost  or  the  local  commercial  rate  is  billed. 
(NAVCOMPT  Manual,  par.  035381) 


d.  Ensure  that  the  billings  are  supported  by  detail 
tilling  analysis  for  each  customer. 

fieviev  activity  billing  procedures  and  analyze  the 
relieving : 


a.  Determine  that  there  are  intra/inter  services 

support  agreements  between  the  computer  center 
ana  reimbursable  users. 


b.  Examine  consistency  between  billings  and  the 
gob  accounting  system. 

c.  Examine  procedures  to  arbitrate  billing 
disputes  between  users  and  the  center. 


k 


h 


i 
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PP1ICATIQ H  SISlEfl  PHOCEDOBAL  COHIBCIS 


I  • 


A.  I1TBCDOCTION 


Application  system  program  procedural  controls  have 
replaced  many  of  the  more  conventional  internal  controls 
developed  for  manual  systems.  To  ensure  that  internal 
controls  are  valid  acd  effective,  a  comprehensive  approach 
is  necessary.  Mot  only  must  procedural  requirements  for  all 
operatonal  system  applications  be  reviewed,  but  the  applica¬ 
tion  controls  for  locally  developed  and  operated  applica¬ 
tions  must  also  be  validated.  The  scope  of  the  facility 
audit  of  application  system  controls  should  include  a  review 
of  the  tajcr  control  procedures  of  the  CDA  application 
systems  and  local  applications  in  operation  at  the  facility 
for  which  the  facility  has  control  responsibility.  This 
includes  comparison  of  application  controls,  documentation, 
interface  with  facility  unique  applications  (and  their 
controls),  and  review  of  CDA  reg aired  processing  procedures 
with  activity  operations.  Software  internal  control  reviews 
of  specific  applications  are  beyond  the  scope  of  this  audit 
program. 


B.  TBA1SACTIQ*  OBIGIBATION 

Effective  transaction  control  requires  that  source  data 
be  captured  as  soon  and  as  close  to  the  point  of  origination 
as  possible.  Procedures  must  be  established  to  control  and 
ensure  the  accuracy  and  completeness  of  each  transaction 
from  originator  and  subsequent  transcription  entry  into 
transaction  edit  routines. 

1.  Beview  selected  application  systems  and  evaluate 
manual  transaction  origination  procedures. 


a.  Ensure  that  control  documentation  describes  hew 
and  under  what  circumstances  transactions  arise, 
who  is  responsible 

for  recording,  encoding,  and  initiating,  and  how 
it  is  processed. 

b.  Select  a  sample  of  transactions  from  various 
applications  and  trace  back  to  the  corresponding 
source  documents,  verify  authorizing  signatures. 
Ensure  that  actual  processing  procedures  were  as 
described  in  the  control  documentation. 

c.  for  centrally  designed  systems,  compare  process¬ 
ing  procedures  and  practices  to  CDA  system  speci¬ 
fications.  Ensure  that  transaction  origination 
practices  are  consistent  with  system  requirements. 

2.  Review  interactive  terminal  application  system  input 

control  procedures. 

a.  Ensure  that  control  procedures  for  terminal 
operations  require  review  and  certification  of 
input  transactions  by  other  than  the  terminal 
operators. 

b.  Ensure  that  controls  have  been  established 
reguiring  passwords  and  other  processing  controls. 


C.  TBA1SACIIO*  DATA  EHTBY 

Effective  use  of  transaction  data  entry  controls  can 
verify  prior  to  application  processing  that  data  transcribed 
is  consistent  wih  specified  limits.  Various  methods  can  be 
employed  to  edit  transactions  such  as  batch  and  check 
totals,  alpha  and  numeric  field  limits,  etc. 


3.  Review  selected  application  systems  and  determine 
what  types  of  edit  checks  are  used.  Ensure  that 

§  reserved  procedures  are  consistent  with  facility 
perating  procedures. 

4.  Irace  a  sel^ctign  of  transactions  through  this  stage 
or  the  application  system  to  evaluate  the  effective¬ 
ness  cf  the  transaction  data  entry  controls. 


t.  DATA  COMHDHICATICHS 

The  integrity  of  data  is  dependent  upon  processing 
controls  and  systems  operating  procedures'  ability  to 
compensate  for  momentary  or  major  commercial  network 
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failures.  In  addition,  communication  controls  are  required 
to  ensure  that  only  authorized  users  have  access  to  system 
application  through  the  communications  network. 


5.  Review  operating  and  application  system  communica¬ 
tions  controls.  insure  that  the  documentation  is 
consistent  with  facility  operating  procedures. 

6.  Review  communications  Preventive  Maintenance  and 
Failure  Reports.  Records  of  reported  failures, 
emergency,  and  preventive  maintenance  actions  should 
he  examined  ho  assess  promptness,  thoroughness,  and 
general  quality  of  maintenance  support. 

7.  Review  Recovery  Logs  or  other  files  prepared  for  use 
in  recovery /restart  processes.  Review  lost  or 
garbled  data  error  message  accountability. 

8.  If  the  $y$tem  under  audit  possesses  an  integrated 
test  facility  (1TF) ,  this  should  be  used  to  validate 
error  routines. 


E.  OUTPUT  PROCESSING 

Effective  utilization  of  output  products  requires 
controlled,  timely  distribution  to  both  originators  for  data 
confirmation  and  to  esers  for  action. 


9.  Ensure  that  procedures  are  adequate  to  support  user 

requirements. 

a.  Trace  selected  individual  output  products  from 
printing  tc  user  receipt  and  usage. 

b.  Verify  facility  procedures  in  processing  and 
correcting  erroneous  output. 

10.  Review  formal  cutput  procedures. 

a.  Ensure  that  procedures  provide  sufficient  control 
to  prevent  unauthorized  access  to  outputs  and  that 
these  procedures  are  followed  by  facility  and  user 
personnel. 

h.  Ensure  that  allocation  of  responsibilities  within 
and  between  the  computer  center  and  its  user/ 
customers  provides  for  effective  control  and 
liaison. 
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XI.  IfifilSIJS  10£4i  EBCGBABBIHG  BAIHTEHAHCE  AMD  fiEVEl^MJNT 


A.  BEQDIBEHENTS  APPEGTAL 

facility  local  programming  for  support  or  new  programs 
is  contingent  upon  the  amount  of  effort  provided  to 
centrally  designed  and  maintained  programs  and  program 
changes.  local  program  effort  is  usually  very  limited  and 
as  such,  user  requirements  must  he  documented  and  reviewed 
to  ensure  that  the  maximum  benefits  can  he  obtained. 


1. 


2. 


Review  procedures  for  accepting  user/custoser 
requirements  fcr  new  or  modified  programs. 

a.  Determine  that  the  user  requirements  have  been 
carefully  and  thoroughly  documented. 

b.  Review  estimating  procedures  for  programming 
requirements.  For  systems  requiring  cost-Eenefit 
analyses,  ensure  that  hardware  requirements  were 
determined  and  considered  in  the  analyses. 


c.  Hfview^e^grting  procedures  for 


Sro posed 

with  guidance  on 
existing  output  or  other  methods  of  satisfying 
their  requirements? 


,!SS?Ia- 


fieview  acceptance  procedures. 


a.  Ensure  that  lobs  accepted  are  formally  approved 
within  the  computer  center. 

t.  Beyiew  procedures  for  establishing  programming 
priorities  and  subsequent  scneduling. 

c.  Review  programming  workload:  Ensure  that 

contractor  programming  support  has  been  considered 
if  backlog  situations  are  a  continuing  problem  for 
valid  requirements. 


B.  PBOGEAHBIHG  BAHAGEBEHT 


Project  management  techniques  can 
changes  and  development  to  provide  a 
measuring  progress  through  the  use 
reports.  (CPNAVIHST  5231.1) 


be  used  for  program 
formalized  means  of 
of  periodic  status 


Verify  that  a  suitable  management  structure  exists 
for  program  development. 

a.  Examine  status  reporting  provisions.  Determine 
the  need  and  the  availability  of  specialized 
reporting  techniques  such  as  PERT  or  reporting 
approaches  such  as  Gantt  charts.  The  auditor 
should  be  able  to  easily  determine  the  status  of 
all  CD&  and  local  development  projects. 

b.  Analyze  reporting  procedures  for  programming 

Progress.  Hov  veil  do  original  programming  estim¬ 

ates  compare  to  project  and  budgets  and  actual 
expenditures? 

c.  Examine  the  dissemination  of  status  reports  and 

ether  project  information  to  interested  parties 
both  inside  and  outside  the  data  processing  group. 

d.  In  projects  that  are  completed  or  nearing  comple¬ 
tion,  ensure  that  feedback  mechanisms  will  ensure 
that  lessens  learned  are  taken  into  account  in 
future  development  projects. 

Review  programming  methods  for  the  following: 

a.  Review  user  and  operational  documentation  for 

compliance  with  standards.  (SECNAVINST  5233. 1A; 
DCDINST  4120. 17M) 

b.  Ensure  that  the  conversion  plan  provides 

for  program  implementation  without  interruption  of 
data  processing  services  to  the  users. 

c.  Determine  if  an  adeguate  test  plan  is 

developed  and  followed  to  validate  each  new 
system.  Review  the  adequacy  of  test  results. 

a.  Does  the  facility  use  a  structured  programming 
approach  tc  program  development? 

Determine  the  degree  of  independence  exercised  by  the 
group  charged  with  acceptance  testing  of  new  applica¬ 
tion  systems. 

Evaluate  the  completeness  and  comprehensiveness  of 
test  planning  and  test  specifications  used  by  the 
acceptance  testers. 

Evaluate  the  thoroughness  of  the  acceptance  testing. 

Review  procedures  to  resolve  discrepancies  reported  by 
acceptance  testing. 

Evaluate  the  degree  to  which  users  participate  in  the 
planning,  conduct,  and  evaluation  of  acceptance 


C.  CHABGE  CONTROL 


Formalized  procedures  £cr  modifying  o per  atonal  applica¬ 
tion  systems  must  require  written  approvals  and  supporting 
documentation.  Controls  in  this  area  should  focus  on 
preventing  unauthorized,  erroneous,  or  accidental  changes 
from  being  introduced  into  previously  tested  and  accepted 
computer  programs.  (NAVCONPINST  7000.36) 


10.  Ensure  that  procedures  requiring  formal,  written 
requests  for  changes  have  Seen  established. 

11.  Determine  what  mechanisms  are  used  for  review  of 
proposed  changes  and  how  effectively  these  mecha¬ 
nisms  are  used.  For  example,  is  there  a  change 
control  committee  that  is  responsible  for  deciding 
priorities  and  allocation  of  resources  to  changes? 

12.  Determine  if  there  are  restrictions  on  the  number 
and  /or  type  of  persons  who  can  make  changes. 

13.  Determine  if  independent  means  are  used  to  report 
the  existence  of  program  changes.  For  example, 
seme  installations  nave  automated  the  systems 
management  facility  of  the  computer  operating 
system  to  prepare  reports  on  all  changes  to 
libraries. 

14.  Examine  the  processes  associated  with  "quick  fixes" 
tc  ensure  that  these  fixes  are  controlled 
adequately. 

15.  Determine  if  there  are  controls  on  the  number  of 
times  changes  can  be  made  daring  a  given  time 
period  or  on  the  frequency  of  changes  to  any  given 
program. 

16.  Ascertain  whether  any  special  programs  are  used  tc 
control  access  to  libraries  of  source  programs. 


D.  DCC DUES TATI 08  ABD  INTER  FACE 

Documentation  is  the  process  of  describing  on  paper  the 
functions  that  each  application  system  performs,  how  they 
are  performed,  how  the  functions  are  to  be  used  and  how  the 
application  interfaces  with  the  total  system.  (SECNAVINST 
5233. 1A;  NA7C0MPINST  7000.3c) 

17.  Ensure  that  documentation  describes  the  flew  of 
data  within  the  application  system. 
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.  Ensure  that  documentation  describes  how  programs 
iaplement  controls. 

19.  Ensure  that  documentation  specifies  how  programs 
are  to  be  operated,  how  they  are  to  be  backed  up, 
and  how  recovery  procedures  are  conducted. 

20.  Review  documentation  and  ensure  that  it  is  being 
properly  maintained  and  is  updated. 

21.  Evaluate  all  u$ef  documentation  and  review  for 
clarity  and  usability. 


E.  DATA  BASE  MANAGEMENT  ANE  CONTROL 

Data  base  manage  cent  and  administration  have  a  signifi¬ 
cant  impact  on  the  efficiency,  accuracy  and  effectiveness  of 
an  EDP  facility,  especially  in  the  area  of  computer 
processing.  Proper  documentation  of  operating  procedures, 
applications  programs  and  procedures,  and  accurate  cata- 
logueing  and  maintenance  of  changes  to  data  base  files, 
discs,  tapes,  data  dictionary,  etc.  are  critical  in  ensuring 
control  ever  the  data  base  and  the  processing  accuracy  ox 
the  facility's  applications.  There  are  several  major  areas 
of  control  and  associated  safeguards  that  must  be  reviewed 
during  the  facility  audit.  These  include:  (1)  data  base 
control,  access  and  physical  security;  (2)  data  base  mainte¬ 
nance  and  data  base  library  controls;  (3)  user  and  technical 
staff  training;  (4)  data  base/facility  operations  inter¬ 
faces;  (5)  systems  development  and  testing;  and  (6)  systems, 
programming  and  procedures  documentation. 

These  functions  are  appropriately  the  responsibility  of 
the  Data  Base  Manager  (DBM)  .  All  data  base  systems  need  at 
least  one  position  of  authority  to  enforce  data  base  policy 
and  procedures.  Related  elements  of  these  areas  will  have 
been  review  during  ether  sections  of  the  facility  audit. 
The  administration  cf  the  data  base  has  a  major  impact  on 
the  overall  operations  of  the  facility,  any  potential  over¬ 
laps  are  worth  reviewing  to  thoroughly  evaluate  the  inter¬ 
faces  between  data  base  and  other  facility  activities. 


Data  Base  Control,  Access  and  Physical  Security: 

a.  Review  the  organization  structure  to  determine 

if  the  DEM  function  is  effectively  segregated 
from  the  rest  of  the  organization,  especially  the 
system  development;  user  and  operations  func¬ 
tions.  The  DBM  function  requires  independence  to 
be  effective  in  data  base  control. 

t.  Review  the  facility's  operation's  access  con¬ 
trols  to  ensure  that  the  DBM  does  not  have  direct 
access  to  the  computer  operations  center.  Ihe 
DBM  should  not  be  allowed  to  operate  the  facili¬ 
ty's  computer  equipment. 

c.  Select  a  major  customer  for  review  of  its  input 

controls.  Review  its  written  procedures  for 
input  controls  to  ensure  they  maintain  data  base 
security  by  keeping  unauthorized  users  out  of  the 
data  base  and  also  control  authorized  users 

access  to  and  use  of  the  data  ase.  Types  of 
controls  ever  users  include  separation  of  duties 
for  document  preparation  and  data  entry,  written 
authorization  for  data  entry,  passwords  for 
system  entry,  system  logs  to  document  system 
usage,  etc.  These  controls  should  also  require 
that  the  DEM  must  receive  user  department 

approval  prior  to  entering  transactions  into  the 
system. 

d.  Review  the  DBM's  control  over  inputs  to  the  data 
base.  The  DBM  has  responsibility  for  all  inputs, 

-  and  should  be  reviewing  the  data  entered  for 
quality,  organization  (to  ensure  that  it  complies 
with  existing  data  base  formats)  ,  integrity  and 
level  of  security  required. 

e.  Review  the  system  of  checks  and  balances  over 
changes  tc  the  data  base.  While  the  DBM  is 
responsible  for  reviewing,  approving  and  auditing 
changes  to  the  data  base,  facility  procedures 
should  call  for  another  authorized  signature 
(director  of  data  processing,  facility  system 
development  committee,  etc.)  prior  to  the  DBM 
maxing  changes  to  the  data  base. 

f.  Review  the  data  base  file  controls  to  ensure 
they  restrict  access  to  and  provide  complete 
security  for  classified  material  in  accordance 
with  OPNAVINST  5510. IF,  Department  of  the  Navy 
Information  Security  Program  Regulation.  Relate 
these  controls  to  the  security  descriptions  in 
the  data  base  dictionary,  select  (if  you  have  the 
appropriate  security  clearance)  a  random  sample 
or  classified  data  elements,  and  review  access  to 
and  control  over  these  elements. 

g.  Review  the  physical  security  of  the  data  base, 
including  location  in  the  facility,  access 
controls  and  logs,  etc.  The  DBM  is  responsible 
for  the  physical  security  or  the  data  base,  and 
should  have  written  procedures  on  file  governing 
security  cf  the  data  base.  The  DBM  must  be 
consulted  by  the  facility  security  manager  before 
any  changes  are  made  to  the  facility  that  affect 
access  to  and  security  of  the  data  base  as  the 
DBM  is  responsible  for  the  overall  security  of 
the  data  base. 


h.  Beview  the  DBii's  written  procedures  for  recovery 
and  verification  of  the  data  base  in  the  event  of 
partial  or  complete  destruction,  security  viola¬ 
tion,  or  ether  compromise  of  the  data  base. 

Interview  the  facility  security  manager  and  CBM 
to  evaluate  their  responses  to  such  data  base 
compromise  or  destruction  possibilities  as  theft, 
classified  material  violations,  unauthorized 
changes  to  data  base  programs  or  the  data  base 
dictionary,  modifications  to  data  base  applica¬ 
tion’s  programs,  unauthorized  use  of  system  or 
vendor  utility  programs  fo  access  the  data  base, 
etc.  Classified  material  violations  should  be 
investigated.  (OPNAVINST  5510.  IF) 

j.  Seview  the  facility  risk  assessment  (OFMVINST 
523  9.  1). 

Determine  if  the  security  measures  and  controls 
selected  and  instituted  by  the  facility  are 
appropriate  and  adequate  to  ensure  control  over 
the  data  base.  Beview  the  specific  controls, 
including  use  of  passwords,  locatewords,  photo¬ 
graphic  IE  cards  for  access  to  the  data  base 
storage  area,  restriction  of  access  to  computer 
operations  personnel  only,  maintenance  cf  a 
directory  of  access  privileges  and  related 
security  clearances  and  security  profiles  for  all 
personnel  authorized  access  to  the  data  base, 
authorization  tables  for  access  to  specific 
programs,  file  records,  control  documentation, 
etc. 

k.  Beview  systems  analyst,  programmer  and  operators' 
access  to  the  data  base  ana  determine  if  appro¬ 
priate  controls  exist  to  ensure  data  base 
security  and  integrity.  Specific  items  tc  be 
reviewed  include: 

(1)  computer  console  logs  and  data  base  access 
logs 

(2)  DBM  control  over  access  to  the  data  base 
library 

(3)  other  physical  access  controls  over  database 
related  software 

(4)  the  software  controls  over  the  access  to  the 
database  via  utility  programs,  online 
networks,  etc. 

(5)  input/output  (I/O)  device  control  and  access 

(6)  programming  and  user  documentation  governing 
access  to  the  data  base 

(7)  DBM  control  over  all  vendor-supplied  utility 
programs 

(8)  controls  over  other  programs  relating  to  the 
data  base  to  ensure  only  authorized 
personnel  can  use  the  programs 

(9)  procedures  for  systems  analyst/programmer 
changes  to  data  base  programs 

(10)  control  over  access  to  the  master  terminal 


[r 


23. 


24. 


for  fcr  entry  of  changes  to  system  utility 
commands  and  other  database-related  access 
changes 


(11)  access  controls  in  force  when  purging, 
reorganizing  or  compressing  a  data  base 

Data  Base  Maintenance  and  Data  Base  Library  Controls 


a. 


b. 


c. 


Review  the  facility's  job  descriptions  to  ensure 
that  the  DEM  has  complete  responsibility  for  data 
base  maintenance  and  the  data  base  library. 


Review  the  DBM 's  control  over  the  contents  of. 
changes  tc,  and  distribution  of  the  data 
dictionary.  the  procedures  for  reviewing  and 
updating  the  data  dictionary,  and  the  guality  of 
the  definitions  in  the  data  dictionary.  The  data 
dictionary  should  include  data  definitions  as 
well  as  information  on  the  audit  and/or  manage¬ 
ment  trails  in  the  system.  The  data  dictionary 
is  actually  the  audit  trail  for  the  data  base  in 
that  it  identifies  the  nature  and  organization  of 
data  in  the  data  base,  the  program/data  relation¬ 
ships  for  the  facility's  applications,  and  is  a 
tool  for  validation,  edit  ana  control  of  the  data 
in  the  data  base.  The  DBM  should  be  restricting 
access  to  the  data  dictionary  by  providing  safe 
storage  and  tight  physical  control  over  the 
available  copies. 


Review  the  log  of  changes  made  to  materials  held 
in  the  data  base  library.  The  changes  should  be 
subjected  to  a  guality  control  review  by  the  DBM 
as  well  as  by  another  independent  authority,  such 
as  the  director  of  data  processing,  system  devel¬ 
opment  committee,  etc.,  and  should  have  received 
signature  authorization  prior  to  entry  into  the 
data  base.  Determine  if  a  software  pregram 
exists  tc  periodically  scan  the  data  base  and 
identify  if  any  unauthorized  changes  have  been 
made. 


(1)  data  additions,  deletions  and  changes 


(2) 


the  gser,  programmer  or  system  analyst 
originating  the  additions,  changes  and  dele¬ 
tions 


(3)  the  reasons,  for  the  update,  revisions, 
reorganizations  or  compressions  of  the  data 
base 

(4)  the  utilization  of  the  data  base  by  specific 
users  as  well  as  by  application,  including 
utility  programs 

(5)  classified  material  or  other  data  base 
security  violations 


User  and  Technical  Staff  Training 

a.  Review  the  facility's  training  records  or 

individual  personnel  files  to  ensure  that  both 
user  and  technical  staff  personnel  have  training 
in: 
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(1)  proper  use  of  the  data  base 

(2)  data  base  security,  including  instruction  in 
the  handling  or  classified  material  as 
required  by  OPNAVINST  5510. IF 


tu  uctci  nixie  cue;  au  u  cut; 

instruction  provided  to  facility  personnel  in 
data  base  management  and  classified  material 
control. 

Data  Base/Facility  Operation’s  Interfaces 


Review  the  contr 
environment  of 
scheduling,  moni 
access.  etc. 
controlling  the 
authorizing  any 
data  base  usage, 
application  prog 
extraction  and 
base. 


ols  over  the  operating 
the  data  base  such  as  operations 
torinq.  data  base  recovery,  user 
the  dBm  should  be  responsible  for 
data  base  operating  environment, 
changes  to  operations  impacting 
and  coordinating  with  users  and 
rammers  regarding  usage,  storage, 
retrieval  of  data  in  the  data 


b.  Review  the  preparation  of  the  facilty's  operating 
logs  as  well  as  usage  reports  generated  iron  the 
logs.  The  DBM  should  be  generating  data  base 
usage  statistics,  data  base  modification  reports, 
data  utility  program  usage  data,  etc.  for  review 
by  the  director  of  data  processing  and  other  EDP 
management  personnel. 

c.  Review  the  facility's  JCL  for  batch-oriented 
applications  of  special  interest  to  the  audit 
team  to  establish  the  level  of  control  over  data 
base  access  provided  by  the  JCL.  The  2DP  auditor 
should  insure  that  individual  jobs  can  only 
access  specifically  identified  files  or  sets  or 
files  in  a  data  base.  This  control  also  applies 
to  online  systems  in  that  specific  applications 
and  individual  transactions  processed  via  these 
applications  should  access  only  specific  segments 
of  the  data  base.  Test  sample  transactions  to 
determine  the  integrity  of  the  jcl/online  system 
data  base  access  controls  by  attempting  to  access 
unrelated  files  or  segments  of  the  data  base. 

Systems  Development  and  Testing 

a.  Review  the  facility's  written  procedure? 

governing  systems  development  and  testing  pf  new 
applications  to  determine  if  the  DBM  participates 
in  the  system  development  and  testing  process. 
The  DBM  should  review  and  approve  all  modifica¬ 
tions  to  software  which  affects  the  data  base. 
This  is  especially  critical  in  the  areas  of 
financial  applications  and  classified  material 
control,  and  relates  to  both  inhouse  and  vendor- 
prepared  modifications. 


cr  reviews  new  applications  prior  to  their 
approval  for  use  in  the  facility.  The  internal 
review  staff  should  participate  in  the  data  base 
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and  application  system  development  and  change 
process  to  ensure  that  adequate  controls  are 
being  built  into  the  data  base  and  new  applica¬ 
tions  software. 

c.  Review  the  facility's  unit  and  system  testing 

standards.  These  standards  should  be  formalized 
into  written  procedures,  and  compliance  witn 
these  procedures  should  be  documented  and 

retained  fcr  all  new  system  development  activi¬ 
ties.  The  standards  should  set  criteria  for 
preparing  test  data  base,  accompanying  manual 
ledgers  with  anticipated  results  to  check  the 
accuracy  cf  program  algorithms,  and  documentation 
modifications  to  applications  being  tested  to 
provide  an  audit  trail  for  system  development 
audits. 

d.  Review  the  approaches  to  development  of  and 
access  to  test  data  base.  While  all  test  data 
bases  and  program  test  documentation  should  be 
maintained  in  the  data  dictionary,  the  D3M  should 
be  restricting  access  to  the  test  data  base  and 
documentation,  and  should  ensure  that  applica¬ 
tions  development  staff  controls  the  sample  test 
data  used  to  evaluate  new  applications  during  the 
system  testing  process.  Tne  DBS  should  also  be 
testing  all  modifications  to  software  affecting 
the  data  base  prior  to  acceptance  and  usage  by 
customers. 

e.  Review  the  testing  program  at  a  detailed  level. 
Specific  areas  to  be  thoroughly  evaluated  and 
steps  to  be  followed  include: 

(1)  Review  the  testing  procedures  to  ensure  that 
data  base  backup  ana  recovery  procedures  for 
new  applications  are  tested  prior  to  testing 
the  entire  application  to  guard  against  loss 
of  the  test  data  base. 

(2)  Ensure  that  only  test  data  bases  are  used  for 
applications  testing.  The  facility  should 
never  allow  live  data  oases  to  be  used  for 
Testing  purposes.  Various  types  of  test  data 
bases  include  unit  test  data  bases  used  by 
applicationdevelopment  staff  to  debug 
programs,  and  benchmark  test  data  bases  used 
to  test  program  revisions  when  previous 
testing  indicates  that  modifications  are 
required. 

(3)  Ensure  that  data  base  users  have  participated 
in  testing  of  all  applications  affecting  the 
data  bases  relating  to  their  applications. 
Oser  confidence  in  both  the  data  base  and 
applications  software  is  critical  to  effec¬ 
tive  control  and  use  or  new  applications,  and 
user  participation  in  the  testing  process  in 
invaluable  in  establishing  user  confidence. 
Oser  feedback  to  applications  development 
staff  is  also  valuable  in  development  of 
program  modifications. 

27.  Systems,  Programming  and  Procedures  Documentation 
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Review  the  job  description  of  the  D3M  to  ensure 
the  DBM  is  responsible  for  all  system s,  program¬ 
ming  and  procedures  documentation  relating  to  the 
data  base. 

Review  the  written  documentation  standards  to 
ensure  they  establish  specific  criteria  for  eval¬ 
uation  of  all  documentation  affecting  the  data 
base.  All  documentation  relating  to  the  data 
base  should  be  thoroughly  reviewed  and  approved 
by  the  DBM  prior  to  program  implementation. 

Review  the  operating  instructions  and  procedures 
manuals  for  all  applications  programs  accessing 
the  data  base  to  ensure  that  backup  and  recovery 
procedures  are  thoroughly  documented. 

Review  the  systems,  programming  and  pro¬ 
cedures  documentation  to  ensure  that  database- 
related  documentation  is  cross-referenced  in  the 
documentation  and  consistent  in  its  approach  to 
data  base  access ,  control  and  usage. 


III.  SOHflABI  AND  CONCLUSION 


Operational  auditing  is  not  a  new  concept  or  practice. 
Operational  audits  have  been  conducted  for  many  years  by 
internal  auditors  in  industry  as  well  as  government. 

Various  names  have  been  given  to  audits  which  involve 
more  than  the  traditional  financial  audit.  Some  of  the  mere 
popular  ones  are  comprehensive  auditing.  effectiveness 
auditing,  systems  auditing.  operational  auditing.  This 
paper  has  dealt  only  with  operational  auditing.  As  used 
here,  an  operational  audit  is  an  examination  of  policies, 
practices,  procedures,  and  controls  used  to  find  out  what 
areas  may  be  improved.  Operational  auditing  extends  well 
beyond  financial  audits,  which  are  concerned  with  the 
receipt,  control  and  disbur sements  of  funds.  It  includes  an 
evaluaticn  cf  the  utilization  and  control  of  nonfinancial 
resources  such  as  property,  equipment,  personnel,  and 
supplies.  Thus,  there  is  a  substantial  amount  of  literature 
available  for  those  who  wish  to  study  it  in  greater  depth. 

A  NA  EE AC  is  a  high  technology  and  fast  changing  organi¬ 
zation.  It  covers  the  development,  maintenance  and  opera¬ 
tion  of  all  information  services  technologies  including  the 
acceptance  testing  of  software  developed  externally.  It 
needs  inplace,  ongoing  evaluation.  The  commanding  officer 
of  a  NABEAC  can  gain  valuable  assistance  from  a  constructive 
operational  audit.  In  general,  managers  of  NABDACs  can  not 
conduct  such  in-depth  reviews  of  their  own  operations  though 
an  internal  operational  audit  group  is  possible.  Several 
issues  are  important  in  the  evaluation  of  performance  at  a 
NABDAC:  Who  sets  the  standards?  Who  plays  what  role  in 
planning  fer  the  future?  and  Who  makes  basic  pclicy 
affecting  beth  the  NABDACs  and  the  customers  of  NABDACs? 


Eecause  the  NABDACs  have  Navy  wide  responsibility  for  ncn- 
tactical  AEP,  some  of  the  issues  must  be  resolved  by  senior 
Navy  management- -they  can  not  be  delegated  to  lower  levels. 

The  NAB  EAC  is  an  organization  whose  scope  of  technolo¬ 
gies  to  be  coordinated  has  expanded  tremendously  as 
computers,  telecommunications  and  office  automation  have 
merged  together,  and  whose  product  offerings  are  extending 
into  new  customer  areas.  The  complexity  of  implementing 
projects,  the  magnitude  of  work  to  be  done,  and  the  limited 
human  resources  have  forced  the  NABDAC  away  from  being 
primarily  a  production  oriented  organization  to  one  where  a 
significant  percentage  of  its  work  is  concerned  with  coordi¬ 
nating  the  acquisition  of  outside  services  for  use  by  its 
customers. 

Measuring  performance  at  a  NARDAC  by  operational 
auditing  provides  a  consistent  methodology  and  basically 
uniform  technique  that  can  be  used  to  adequately  assess 
performance  in  the  seven  NABDACs.  The  auditor,  however, 
must  tailor  the  audit  engagement  by  selecting  those  steps 
that  are  appropriate  to  the  particular  NABDAC,  the  interests 
of  the  audit  client,  and  the  relationship  between  data 
availability  and  audit  resources.  This  selection  is  the  key 
to  the  success  of  the  audit  effort.  An  overriding  consider¬ 
ation  in  making  the  selection  is  the  evidence  standard, 
promulgated  by  the  U.  5.  General  Accounting  Office,  which 
states:  [Bef,  51] 

Sufficient,  competent,  and  relevant  evidence  is  to  be 
obtained  to  afford  a  reasonable  basis  for  the  auditors' 
judgements  and  conclusions  regarding  the  organization, 
program,  activity  or  function  under  audit.  A  written 
record  of  the  auditors'  work  shall  be  retained  in  the 
form  of  working  papers. 

It  is  the  rare  case  where  the  operational  auditor  can 
isolate  the  ideal  single  measure  or  standard  to  evaluate 


performance.  Yet,  operational  auditing  can  provide  needed 
data  for  improvement. 

The  focus  on  productivity  improvement  as  the  measure  of 
a  NABEAC's  value  requires  an  instrument  for  measuring 
productivity.  Usually,  productivity  relates  to  people-based 
activities,  and  an  operational  audit  is  an  ideal  tocl  for 
seeing  that  management  has  at  hand  the  necessary  information 
for  decisionmaking.  Operational  auditing  involves  not  ocly 
ascertaining  how  objectives  are  being  met,  but  also  evalu¬ 
ating  the  way  the  objectives  were  set  in  the  first  place. 
Although  performance  criteria  may  be  applied  objectively,  it 
must  be  recognized  that  subjectivity  enters  into  the  selec¬ 
tion  of  these  criteria. 

A  NARDAC  is  required  to  recover  all  of  its  costs.  The 
policies,  as  a  Nif  activity,  are  geared  toward  cost  liquida¬ 
tion.  The  establishment  of  appropriate  prices  is  a  complex 
issue.  An  appropriate  resolution  is  critical  to  estab¬ 
lishing  and  maintaining  a  realistic  relationship  between 
NARQACs  and  their  customers.  NARDACs  must  continually 
search  fcr  ways  to  deliver  new  products  in  more  efficient 
ways. 

The  previous  chapters  presented  a  series  of  frameworks 
for  examining  the  NAEEACs  and  their  function  of  information 
services  management.  In  sum  the  paper  specifies  the  details 
as  to  how  an  information  services  operational  audit  should 
be  conducted.  The  NABDAC  was  treated  as  a  stand-alone  busi¬ 
ness  within  the  Navy.  This  permitted  the  development  of  the 
concepts  cf  control  for  information  services.  Issues  of 
internal  accounting  control  within  the  NARDAC  was  not 
covered  as  they  do  not  have  a  direct  impact  on  the  interface 
between  the  NARDAC  and  its  customers. 

The  following  overview  of  operational  auditing  is  a 
brief  summary  of  the  various  phases  and  steps  involved  in 
conducting  an  operational  audit:  [Ref.  52] 


At  the  beginning  the  auditor  has  no  idea  where  to  go  or  what 
to  do.  The  first  step  involves  determining  the  total 
(universe) . 

general  knowledge  of  total  responsibili¬ 
ties.  feftds  to  total  areas  that  can  be  audited. 

The  auditor  finds  there  are  many  areas  from  which  to  choose. 
An  area  is  selected. 

Back  ground  and  general  information  on  areas  leads 
auditor  to  select  a  specific  area  to  be  audited. 

The  auditor  selects  an  area  from  the  universe  of  areas;  then 
does  a  preliminary  scrvey. 

Background  and  general  information  fron  area  leads 
audit 9 t  ifi  tentative  audit  objective  bj  sene 
evidence  and  assertions.  Possible  alternative 
teflt^tive  objectives  considered. 

The  objective  of  a  specific  activity  is  determined--very 
tentative.  Also  tentative  alternatives  are  determined.  A 
review  and  test  of  management  control  is  made. 

lasts  of  lanaasiaBt  ssnisal  aii§  aMitgf  siiMsse 
tg  support  firs  objective. 

A  possible  tentative  report  could  be  prepared  at  this  time. 
Also  a  program  for  the  detailed  examination  is  prepared  if 
audit  is  to  continue. 

The  auditor  selects  firm  audit  objectives;  gathers  suffi¬ 
cient  ,  relevant,  material,  and  competent  evidence  on  audit 
objective  to  come  tc  a  conclusion  on  that  objective.  The 
detailed  examination  is  done. 

sgffigient,  £§levant,  &at££i&i,  ££d  cgmpe- 
tent  evidence  to  support  the  conclusion  on  the 
objective,  including,  an*  fihfained 

in  prior  phases. 


A  summary  of  evidence  in  working  papers  is  made,  sufficient 
to  support  conclusions  on  the  objectives. 

Summarizes  all  evidence  in  working  gapers  on  the 
ifi  order  feavg  g  vgtJtgfele  amount  for  the 
report .  and  to  support  the  auditors*  conclusions. 

From  summarized  evidence,  the  auditor  prepares  the  report, 
including  conclusions  and  recommendations.  The  report  is 
the  final  product  of  the  audit. 

Oses  summarized  evidence  to  support  conclusion  and 
gecgmiegdgligns. 


ktiiMli  A 

DEFINITIONS  OF  SPECIAL  TEENS 


_ applies _  A  _ _ 

approach  is  intended  to  foster 


the  performance  of  the  program  _ _  _  __  t _ 

both  the  application  system  itself  and  its  documentation 


which  persons  not  respon- 
are  charged  with  checking 
becomes  operational.  This 
objectivity  in  evaluation  of 
and  to  test,  in  parallel. 


ACCESS  METHOD:  a  procedure  by  which  a  program  obtains  data 
from“a  mass  storage  file.  The  common  access  method  for  tape 
files  is  seauention.  There  are  several  access  methods  for 
disk  files  that  vary  from  seguential  to  truly  random  access. 


AUDITABILITY:  features  and  characteristics  of  an  informa- 
TIon”?JsteI7  either  computer-based  or  manual,  that  allow 
verification  of  the  adequacy  and  effectiveness  of  controls 
and  verification  of  the  accuracy  and  completeness  of  data 
processing  results. 


AUDIT  SOFTWARE:  a  set  of  programs  wnich  assist  auditors  in 
purl'd rIing“Te§ts  on  computer  data  files.  The  end  product  is 
usually  a  report  analyzing  the  data  in  a  format  designed  by 
the  auditor  to  accomplish  the  desired  audit  objective. 


JIT  THAI!:  .  files,  indexes,  reports  and  references  that 
SfSEific  transactions  to  be  traced  back  to  their 
source  or  forward  to  their  final  recording  in  the  accounts. 
It  also  is  referred  to  as  a  management  trail  since  it  allows 
management  to  determine  propriety  of  processing  and  to 
follow  up  cn  errors. 


fAJCH  CC1TBQLS :  a  control  procedure  used  to  assure  the 
conv!rsi'25~Sr’  processing  of  groups  of  data  completely  and 
accurately.  For  example,  when  a  card  file  is  processed,  the 
last  card  may  have  totals  (sometimes  referred  to  as  hash  or 
control  totals)  of  account  numbers  and  amounts.  As  the 
computer  processes  this  file,  it  adds  up  the  account  numbers 
and  amounts  and  compares  their  sums  to  the  numbers  on  the 
last  card.  If  they  do  not  agree,  an  error  message  is 
printed  and  processing  suspended  until  the  error  is  found 
and  corrected. 


BATCH  PEGCESSIBG  SYSTEM: 
35To<!SssiTr3~!lE3”in 
business  are  of  this  type. 


a  system 
(batches)  . 


for  collecting  and 
Many  applications  in 


CPU:  Centeral  Processing  Unit.  This  is  the  principal  part 
Sr  a  computer  system.  it  is  the  CPU  which  contains  the 
operating  system  (the  "brain"  of  the  computer)  and  performs 
the  processing.  Jhe  CPU  contains  the  circuitry  tor  the 
arithmetic  and  logic  runctions  included  in  the  computer 
design,  A  variable  amount  of  "main  memory"  is  also  associ¬ 
ated  with  the  CPU.  Only  data  and  programs  contained  m 
"main  memory"  can  be  processed  by  the  logic  and  arithmetic 
functions  of  the  computer. 


fiogPOTSf  A|P£iCATIOJ  f IS TgH :  a  computer-based  information 
systea  that  includes . rotn  manual  and  computerized  procedures 
for  source .transaction  origination,  data  processing  and 
record  keeping,  and  report  preparation. 
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BATA  BASI:  a  collection  gf  data  which  is  organized  in  such 
a  way  tSat  allows  a  <?ata  item  to  be  available  to  different 
users  within  an  organization.  Bather  than  having  separate 
files  for  eagh  application/  all  files  for  all  applications 
are  merged  into  one  "total**  file  or  data  base.  It  is 
frequently  associated  with  data  base  management  systeas 
which  rely  on  such  a  file  structure. 


£34  fHHttSHI  (wmni 

tion  is  sent  over  telephone 
the  central  processor.  Ty 
coapleteness  and  accuracy  or 
counts.  aessage  counts  a 
security  is  an  iaportant  in 
systeas  which  use  data  trans 
arre  aore  susceptible  to  acc 

®K  BACK:  a  device  for 

es.  fithougn  their  cap 
typical  disk  pack  can  store 
disk  packs  are  portable, 
pack  to  be  placed  on  a  disk 
uses  to  read  and  write  fro  a 
portability  of  soae  disk 
requires  that  they  be  proper 


BOHJCATIOM) :  the  sending. of  data 

r^ocatlSE.  Typically/  mforaa- 
wires  from  outlying  terminals  to 
ypical  controls  which  assure  the 
r  such  transmission  are  character 
and  dual  transaissions.  Data 
nternal  control  consideration  in 
emission  since  data  and  programs 
cuss  by  unauthorized  persons. 


®K  BACK:  a  device  for  storing  computer  created  data 

es.  $lthougn  their  capacities  vary  significantly,  a 
typical  disk  pack  can  store  millions  of  characters.  Some 
disk  packs  are  portable.  This  allows  more  than  one  disk 
pack  to  be  placed  on  a  disk  drive,  the  device  the  computer 
uses  to  read  and  write  from  a  disk  pack.  Because  ox  the 
portability  of  soae  disk  packs,  good  internal  control 
requires  that  they  be  properly  safeguarded. 

DISTBIBUXED  PEOCESSI1G:  a  decentralized  approach  to  infor¬ 
mal  "I  distributed  system  is  an  aggregation 

of  information  systems  (intelligent  terminals  or  mini- 
computers)  arranged  as  relatively  independent  subsystems 
that  are  tied  together  through  a  central  computer  via  commu¬ 
nication  networks. 


COCOHEBTATIGI:  a  meaps  for  understanding  the  purpose  of  a 
pr5gfaai~KTSa“3ommunicating  the  program  details  to  a  reader. 

POCOB^HTATICH  ST  All  DABBS:  a  established  acceptable  level  of 
docllentaticl.  Ill  progra m  and  system  documentation  should 
be  measured  against  this  standard,  and  procedures  should  be 
established  for  bringing  inadequate  documentation  to  an 
acceptable  level. 


EDIT:  a  control  technique 
curate,  incomplete,  unre 
lished  criteria.  This  pr 
before  processing  or  ty  the 
subsequent  stages  in  regul 
sole  purpose  of  certain 

frograms)  within  an  applica 
or  reascnableness  or  limi 


acter  (letter)  in  a  numeric 


which  determines  if  data  is  inac- 
asonabxe  or  fails  to  meet  estab- 
ocedure  can  be  be  done  manually 
computer  at  the  beginning  or  at 
ar  processing.  This  may  be  the 
programs  (commonly  called  edit 
tion.  Common  edits  are:  edits 

t  tests,  such  as  determining  if 
wage  earner  are  in  excess  or  60 
,  such  as  no  employee  or  part 
ter  tests,  such  as  an  alpha  char- 
field.  r 


EEBOl  CQBBBCTIOH  PBCC1D0BBS:  the  method  by  which  errors 
aetSctea  EyTrirput,  prafrKm  and  processing,  and  output 
controls  of  the  computer  system  are  corrected  and  resub¬ 
mitted  fcr  processing.  Unless  the  corrections  or  errors  are 
subjected  to  the  same  controls  as  new  input  data,  an  other¬ 
wise  strong  system  of  internal  accounting  control  could  be 
ineffective.  In  general,  computer  operators  and  control 
clerks  should  never  correct  errors  committed  by  a  user. 

fllg:  a  complete  set  of  related  logical  records. 
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fill  CCIIBfll  :  a  system  of  protection  and  back-up  previsions 
which  Help  assure  that  data  files  will  not  be  Earned  or 
manipulated  intentionally  or  accidentally.  Examples  of  file 
controls  are  the  son-fathe r-grandf ather  system  of  back-up, 
retention  dates  on  header  labels,  fireproof  storage  vaults, 
cff-premise  storage,  temperature  and  humidity  controls, 
restricted  access  and  file  protection  rings. 


FLO WC HAS I:  a  diagram  which  shows  tae  logic  of  a  program 

w£y  in  which  a  record  is  processed)  or  shews  the 
sequence  in  which  programs  are  processed  and  files  are  used 
or  created.  Flowcharts  of  the  first  type  are  called  program 
flowcharts,  logic  diagrams  or  logic  charts;  the  latter  type 
are  called  system  flowcharts. 

GHiapF^TEEH-FAIHEH-SCW.  .a  system  for,  backing  up  magnetic 
ifeaXa  rTI^3H7£er3  “Tevious  master  files  ana  transaction 
files  are  kept  to  reconstruct  the  current  master  file  if 
necessary.  The  current  master  file  (the  son)  is  a  product 
of  processing  the  last  transaction  file  with  the  next  to 
last  master  file  (the  father)  which  itself  is  the  product  of 
the  next  to  last  transaction  file  and  the  second  oldest 
master  file  (the  grandfather) . 


that  are  concerned  with  the  decision  processes  leading  to 
management's  authorization  of  transactions.  Such  authoriza¬ 
tion  is  a  management  function  directly  associated  with  the 
responsibility  for  achieving  the  objectives  of  the  organiza¬ 
tion  and  is  the  starting  point  for  establishing  accounting 
control  of  transactions. 


mis  is  where  aost  errors  are  generally  made,  and  therefore, 
the  controls  should  be  designed  to  be  effective  as  possible. 

BASS  STOSAGE,  FJLJS:  .  storage  devices,  usually  on  tapes  or 
gisTCs,  walCh  permit  the  storage  of  very  large  volumes  of 
data. 


an  organized  data  file  which  provides  the 
sis  of  curfent  information  for  accounts  or  other 
files,  such  as  name  and  address  files.  Haster 

..  _  a.  ^  l  1 _  a.  1 3  _  x r  •  -i  *  -  - 


types  or  tiles,  suet  as  name  and  address  tiles.  Haster 
files  are  updated  periodically  by  other  data  files  (called 
transaction  files)  which  include  all  changes  to  the  file 
since  the  last  updating  run.  The  combination  of  old  master 
files  and  transaction  files  provide  the  back-up  for  the 
current  master  file. 


_ *G  LOGS:  written,  records  of  all  f unctions  performed 

Ef  HHC  CCmpTTCer  system,  including  the  jobs  processed,  the 
start  time,  the  stop  time,  the  condition  of  the  termination 
of  the  job  (normal  or  abnormal)  and  operator  actions  taken. 
Operating  logs  can  be  completed  by  the  operator,  by  the 


ot  the  ion  (normal  or  abnormal)  and  operator  actio 
Operating  logs  can  be  completed  by  the  operator, 
computer  through  the  console  typewriter  or  by  both. 


by  the 


QPKBAII1G  S 1ST EH :  a  group  of  programs  that  control  all 
resources  attached  to  the  CPU,  manage  application  programs 
in  process  and  provide  other  supporting  functions. 

SSSillSl : . .  tiie  person  with  the  responsibility  of  running 
jSos  pn  the  computer,  who  generally  processes  the  jebs 


according  to  a  prearranged  schedule  and  t 
equipment  including  putting  card  program  c 
reader  and  mounting  tapes  and  disks  on  dri 


decks  into  the  card 
ri ves. 


OPERATOR  II STB OCIIOHS:  written  procedures  that  operators 
folIcw"fc  fun  These  instructions  cover  mounting  and 
dismounting  tapes,  changing  paper,  setting  dials  and 
switches,  and  responding  through  the  console  typewriter.  In 
general,  these  instructions  include  all  iteas  necessary  for 
setting  up,  processing  and  completing  a  job. 


fBBTjlTITE  BAI1TEHAMCI:  the  process  of  keeping 

e^uiplsnf  ItrcTc^Sp title  working  condition  as  o 
correcting  after  malfunctions  occur.  Oweners  or 


fSS 


computer 
csea  to 
sors  of 

computer  equipment  generally  enter  into  eguipment  servicing 
contracts  with  the  manufacturer.  In  adaidicn  to  providing 
for  service  when  equipment  breaks  down,  these  contracts  call 
for  cleaning  and  testing  eguipment  on  a  periodic  basis, 
usually  weekly. 


JBOGBifl  C0DI1G  SHUTS:  worksheets  used  for  writing 
progfiis.  xH<!se  tofi5  are  designed  for  ease  in  keypunching 
and  for  adherence  to  conventions  established  for  programming 
language. 


hi  PROGRAM  LISTING]:  a  sequential  listing  of  all  the  state¬ 
ments  of  a  compute?  program.  In  general,  program  listings 
should  net  be  available  to  computer  operators  since  this 
would  violate  the  principle  of  segregation  of  duties. 


PBOGBAH  BE  VIST  OHS:  changes  to  a  computer  program.  Good 
infernal  confr3T”calls  for  adhering  to  established  documen¬ 
tation  standards  whenever  a  program  is  changed.  A  record  of 
the  review  and  approval  of  these  revisions  should  be  kept. 


CBOGBAH  1ESTIHG  PBOCEDOBES:  the  established  method  for 
testing  r e w  pf of rals  cf “ dhl nge s  to  existing  programs.  Test 
data,  sometimes  called  test  decks,  should  be  designed  to 
thoroughly  test  all  logic  paths  within  the  progras.  Valid 
as  well  as  invalid  data  should  be  used  to  test  the  program. 
Once  tfce  test  data  is  created,  it  should  be  retained  to 
document  this  testing  of  the  program  and  to  be  available  for 
testing  program  revisions. 


T;  the  capability . to  continue  processing  a  file  after 
„_3gram  stops  at  an  interim  point  fer  some  reason.  Many 
programs  can  take  a  relatively  long  time  to  process  a  file, 
primarily  because  of  the  volume  of  data  on  the  file  itself. 

rocessing  will  be  halted  abnormally.  If  it 
to  begin  all  programs  at  the  beginning  each 
_ .  _  __  processing  could  Be  lost.  Restart  capabili¬ 
ties  therefore  can  be  important  from  an  efficiency  point  of 
view. 


Cn  occasion 
were  necessar 
time,  hours  o 


BET El TIG 1  DATE:  a  date  placed  upon  the  label  gf  a  tape  or 
oisE  wBldh  fells  the  computer,  operator  or  librarian  how 


If  the  retention  date  has  not 
not  be  updated  or  discarded 


of  a  job  by 
of  a  job. 


the 


long  the  file  is  to  be  kept, 
passed,  the  file  should 
(scratched) . 

...  a  description  of  the  processing 
(Slputer 

the  printed  output  related  to  the  processing 

BOM  BOOKS:  a  potentially  ambiguous  term.  In  some  installa- 
ti3ns"Htney  refer  to  operators'  manuals  which  are  used  to 
process  jobs.  In  other  installations  they  refer  tc  manuals 
which  certain  all  documentation  for  a  application.  The 
difference  is  important,  since  if  operators  have  access  to 
run  books  and  they  contain  all  information  on  an  applica¬ 
tion,  good  principles  of  internal  controls  are  violated. 
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SCg4T£Hi  a  description  of  a  tape  or  disk  which  is  ready  to 
accept  new  data;  the  process  of  making  a  take  or  disk  ready 
to  accept  new  data. 

SEQUE1CE  CHECK  I HG:  an  editing  procedure  that  coaoares  the 
CSnTESI"  EUIESr  in  a  sequential  file  with  the  previous 
control  number.  It  it  is  not  greater  than  or  equal  to  the 
previous  number,  the  program  notes  that  a  sequence  error  has 
occurred. 


SERVICE  CJNTEH:  an  organization  which  provides  data 

proZIeS§in'5  SH3~other  closely  related  services  to  other  orga¬ 
nizations. 


SOFTWARE:  a  computer  programs. 

SOURCE  DCC0BEST5 :  the  beginning  point  for  data  entering  the 
computer"3ysfem7  These  documents  originate  in  user  depart¬ 
ments  and  may  be  in  the  form  of  time  cards,  purchase  requi¬ 
sitions,  etc.  After  the  data  are  entered  into  the  computer 
system,  these  documents  should  be  stored  or  returned  to  the 
customer. 


STRUCTURED  PROG  RAH 81 HG:  the  group  of  techniques  that 
proviae“specrEic  guidelines  to  programmers  on  how  they  may 
use  programming  languages  and  how  elements  of  programs  fit 
together  to  form  an  application  system.  These  techniques 
were  initially  developed  with  the  intent  of  providing  more 
controllable  and  usable  programs.  They  also  offer,  as  a 
fringe  benefit,  improved  auditability  of  programs  produced 
under  these  techniques.  The  techniques  falling  under  this 
heading  are  as  follows: 


Chj.gf  Programmer  Team  Organization.  This  technigue  is 
Eased  cl  tle~eslaB113h®3nl  of  a~3aall,  integrated  team 
headed  by  a  chief  programmer  and  supported  by  two  or 
three  analysts  and  programmers  and  a  librarian.  Use  of 
this  approach  has  proved  effective  in  many  instances. 


ir^griFldff^ly  specifying 
first  and  then  proceeding 


Th+f  technique,  .consists  of  designing 


greater  detail. 


_e  highest  level  functions 
.  „  downward  to  greater  and 
Use  of  this  approach  tends  to  organize 


programs  more  simply  and  effectively. 


Modularization . 

— of 

useful  modules  to 
dancy. 


This  technique  focuses  on  careful 
programs  into  common  and  generally 
ensure  simplicity  and  minimum  redun- 


Structured  Coding.  This  approach  uses  c_  _  __ 

CdlTSltidls  TdTrsyntax  and  program  format  to  ensure  that 

. ..  understood  are  less  likely 


the  programs  are  mere  easily 
to  contain  errors. 


» 


I 


9 


A  planned  review  of  system  specifications 
_  ry  peers  of  the  developers.  This  approach 
has  been  effective  m  minimizing  built-in  errors. 


Top-down  Testing .  Skeleton  control  modules  are  tested 
firBF  Bld^ITSn  progresses  down  the  module  structure  to 
finally  test  the  entire  system. 


She  auditor  ,  should  focus  on  determining  the  presence  or 
sence  of  the  above  or  related  tecnmgues  and  the  effec¬ 
tiveness  of  their  use.  Evidence  of  the  use  of  these  techni¬ 
ques  can  be  considered  a  positive  sign  even  though  the 
auditor  cay  be  unable  to  fully  appreciate  and  understand  the 
mechanics  of  the  techniques.) 
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SISTEfl  AHA1YSIS :  process  of  studying  systems  to  determine 

frcfanges  isfiould  me  made  and  if  so,  now  they  snould  be 


carried  cut. 


s^stf a  designing,  testing  and  implementing  new 

USE  3SAEISG:  a  method  of  data  processing  which  provides 

exfen si ve^^Sta  processing  capability  on  a  basis  that  wguld 
not  be  practical  or  economically  feasible  if  maintained 
individually  by  each  .user.  Generally  .a  wide  range  of 

computerized  applications  are  af,  1?kitrpn°U*'ly  ior 

many  users.  These  users  m  effect  '‘share"  the  CPU. 

TBAISACTIOI  FILE:  record  of  ail  changes  to  a  master  file 

SXnCe*TX€~Ia3t ^master  Hie  updating  run. 

UTILITY  EBOGBASS:  programs  provided  by. manufacturers  to 

IsfiSf*  In — Installation  in  the  runctionmg  of  its  data 
processing.  Examples  of  such  programs  are  sorts,  merges, 
and  EITTCy  (a  program  which,  among  other  things,  allows  for 
dumping  cr  copying  a  file). 
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